Описание
silverstripe/framework's pre-existing alc_enc cookies log users in if remember me is disabled
If remember me is on and users log in with the box checked, if the developer then disabled "remember me" function, any pre-existing cookies will continue to authenticate users.
Ссылки
- https://github.com/silverstripe/silverstripe-framework/commit/1c7d5de51bcdf16ebb21c5a0ebe5fe9e31f9a822
- https://github.com/silverstripe/silverstripe-framework/commit/b1f449762b5d11658b11d5036d5ae361a95fd61e
- https://github.com/silverstripe/silverstripe-framework/commit/d1163d87b70e3e147f22a1e423b9f70f6fd85e8f
- https://github.com/silverstripe/silverstripe-framework/commit/fa7f5af8618a83c865b11fd6cc981ad9661046e6
- https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-014-1.yaml
- https://www.silverstripe.org/download/security-releases/ss-2016-014
Пакеты
Наименование
silverstripe/framework
composer
Затронутые версииВерсия исправления
>= 3.1.19-rc1, < 3.1.20
3.1.20
Наименование
silverstripe/framework
composer
Затронутые версииВерсия исправления
>= 3.2.4-rc1, < 3.2.5
3.2.5
Наименование
silverstripe/framework
composer
Затронутые версииВерсия исправления
>= 3.3.2-rc1, < 3.3.3
3.3.3
Наименование
silverstripe/framework
composer
Затронутые версииВерсия исправления
>= 3.4.0-rc1, < 3.4.1
3.4.1
3.1 Low
CVSS3
Дефекты
CWE-613
3.1 Low
CVSS3
Дефекты
CWE-613