Описание
Silverstripe Framework user enumeration via timing attack on login and password reset forms
Impact
User enumeration is possible by performing a timing attack on the login or password reset pages with user credentials.
This was originally disclosed in https://www.silverstripe.org/download/security-releases/ss-2017-005/ for CMS 3 but was not patched in CMS 4+
References
Ссылки
- https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-256q-hx8w-xcqx
- https://nvd.nist.gov/vuln/detail/CVE-2017-12849
- https://github.com/silverstripe/silverstripe-framework/pull/11681
- https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2025-001.yaml
- https://www.silverstripe.org/download/security-releases/ss-2017-005
- https://www.silverstripe.org/download/security-releases/ss-2025-001
Пакеты
Наименование
silverstripe/framework
composer
Затронутые версииВерсия исправления
>= 4.0.0, < 5.3.23
5.3.23
5.3 Medium
CVSS3
Дефекты
CWE-204
5.3 Medium
CVSS3
Дефекты
CWE-204