SYM_PHP_0028 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Cleartext Transmission of Sensitive Information
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-319: Cleartext Transmission of Sensitive Information |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The code disables SSL certificate verification in cURL requests by setting CURLOPT_SSL_VERIFYPEER to false, 0, or null. This allows connections to proceed even if the server's SSL certificate is invalid or untrusted.
Impact
Disabling SSL verification exposes sensitive data to interception and man-in-the-middle attacks. Attackers could impersonate trusted servers, steal credentials, or alter data in transit, compromising the security of your application and its users.