Описание
silverstripe/framework's User-Agent header not correctly invalidating user session
A security protection device in Session designed to protect session hijacking was not correctly functioning. This function intended to protect user sessions by detecting changes in the User-Agent header, but modifications to this header were not correctly invalidating the user session.
Ссылки
- https://github.com/silverstripe/silverstripe-framework/commit/44de03da0147e6094b02602b7b73d5b1a1306d78
- https://github.com/silverstripe/silverstripe-framework/commit/d47667bb0768841e4b305fa95d5a4e2ba232c4ad
- https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2017-006-1.yaml
- https://www.silverstripe.org/download/security-releases/ss-2017-006
Пакеты
Наименование
silverstripe/framework
composer
Затронутые версииВерсия исправления
>= 3.5.0-rc1, < 3.5.6
3.5.6
Наименование
silverstripe/framework
composer
Затронутые версииВерсия исправления
>= 3.6.0-rc1, < 3.6.3
3.6.3
7.5 High
CVSS3
Дефекты
CWE-384
7.5 High
CVSS3
Дефекты
CWE-384