exploitDog

GHSA-g84q-cq55-xwgp

Опубликовано: 27 мая 2024

Источник: github

Github: Прошло ревью

CVSS3: 5.3

Описание

silverstripe/framework member disclosure in login form

There is a user ID enumeration vulnerability in our brute force error messages.

Users that don't exist in will never get a locked out message
Users that do exist, will get a locked out message

This means an attacker can infer or confirm user details that exist in the member table.

This issue has been resolved by ensuring that login attempt logging and lockout process works equivalently for non-existent users as it does for existant users.

Ссылки

Пакеты

Наименование

silverstripe/framework

composer

Затронутые версииВерсия исправления

>= 3.4.0-rc1, < 3.4.6

3.4.6

Наименование

silverstripe/framework

composer

Затронутые версииВерсия исправления

>= 3.5.0-rc1, < 3.5.4

3.5.4

5.3 Medium

CVSS3

Дефекты

CWE-200

5.3 Medium

CVSS3

Дефекты

CWE-200