GHSA-r3pr-fh25-wrfc

Опубликовано: 27 мая 2024

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

silverstripe/framework's install.php script discloses sensitive data by pre-populating DB credential forms

When accessing the install.php script it is possible to extract any pre-configured database or default admin account password by viewing the source of the page, and inspecting the value property of the password fields.

Ссылки

https://github.com/silverstripe/silverstripe-framework/commit/7a79cd039a96ef54182263d5fbb72addf093b171
https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2017-010-1.yaml
https://www.silverstripe.org/download/security-releases/ss-2017-010

Пакеты

Наименование

silverstripe/framework

composer

Затронутые версииВерсия исправления

>= 4.0.0-rc1, < 4.0.1

4.0.1

6.5 Medium

CVSS3

Дефекты

CWE-200

6.5 Medium

CVSS3

Дефекты

CWE-200