jce icon indicating copy to clipboard operation
jce copied to clipboard

Published 20 hours ago verified publisher icon widgetfactory

Joomla password is saved in clear text as "updates_key"

Open ReLater opened this issue 3 years ago • 0 comments

Describe the bug

  • Joomla 4.0.5.
  • JCE 2.9.18 FREE and earlier
  • Firefox 95.0.2 (64-Bit) on Win10
  • Save your Joomla credentials in Firefox after login in Joomla backend (FF asks if I want to save them).
  • If you have saved just 1(!) login credential for the Joomla domain.
  • Go to JCE > Control Panel > Options
  • The field Update Options > Update Key is prefilled by FireFox with the password of the currently logged in Joomla user.
  • If you save then the JCE options the password is saved in the database unhashed. Field params of #__extension COM_JCE.
  • And other users can see it afterwards by clicking on the eye button.
  • Users of FREE JCE version seldomly look into the "Update Options" to clear the field before saving.

Screenshots grafik

grafik

Additional context Question: If this is not solveable from your side: Is it a problem to enter a dummy key in that field or will I get then warnings or something on updates?

Thank you!

ReLater avatar Dec 25 '21 22:12 ReLater