CVE-2022-36072

06.09.2022, 21:15

SilverwareGames.io is a social network for users to play video games online. In version 1.1.8 and prior, due to an unobvious feature of PHP, hashes generated by built-in functions and starting with the `0e` symbols were being handled as zero multiplied with the `e` number. Therefore, the hash value was equal to 0. The maintainers fixed this in version 1.1.9 by using `===` instead of `==` in comparisons where it is possible (e.g. on sign in/sign up handlers).

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
GitHub_M	CNA	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 21%

Vendor	Product	Version
silverwaregames	silverwaregames	𝑥 < 1.1.9

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-597 - Use of Wrong Operator in String Comparison
The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead.

References

https://github.com/mesosoi/silverwaregames-io-issue-tracker/security/advisories/GHSA-w4wq-7j4q-j2fh