GHSA-256q-hx8w-xcqx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-256q-hx8w-xcqx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-256q-hx8w-xcqx/GHSA-256q-hx8w-xcqx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-256q-hx8w-xcqx
- Published
- 2025-04-10T20:12:55Z
- Modified
- 2025-04-10T20:25:59.078190Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Silverstripe Framework user enumeration via timing attack on login and password reset forms
- Details
-
Impact
User enumeration is possible by performing a timing attack on the login or password reset pages with user credentials.
This was originally disclosed in https://www.silverstripe.org/download/security-releases/ss-2017-005/ for CMS 3 but was not patched in CMS 4+
References
- https://www.silverstripe.org/download/security-releases/ss-2017-005
- https://www.silverstripe.org/download/security-releases/ss-2025-001
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-204" ], "nvd_published_at": null, "github_reviewed_at": "2025-04-10T20:12:55Z", "severity": "MODERATE" }- References
-
- https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-256q-hx8w-xcqx
- https://nvd.nist.gov/vuln/detail/CVE-2017-12849
- https://github.com/silverstripe/silverstripe-framework/pull/11681
- https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2025-001.yaml
- https://github.com/silverstripe/silverstripe-framework
- https://www.silverstripe.org/download/security-releases/ss-2017-005
- https://www.silverstripe.org/download/security-releases/ss-2025-001
Affected packages
Packagist / silverstripe/framework
Package
- Name
- silverstripe/framework
- Purl
- pkg:composer/silverstripe/framework
Affected versions
4.*
4.0.0
4.0.1-rc1
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.1.0-rc1
4.1.0-rc2
4.1.0
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.2.0-beta1
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.3.0-rc1
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.4.0-rc1
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.7
4.5.0-alpha1
4.5.0-rc1
4.5.0-rc2
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.6.0-beta1
4.6.0-rc1
4.6.0
4.6.1
4.6.2
4.7.0-beta1
4.7.0-rc1
4.7.0
4.7.1
4.7.2
4.7.3
4.7.4
4.8.0-beta1
4.8.0-rc1
4.8.0
4.8.1
4.9.0-alpha1
4.9.0-beta1
4.9.0-rc1
4.9.0
4.9.1
4.9.2
4.9.3
4.9.4
4.10.0-beta1
4.10.0-rc1
4.10.0
4.10.1
4.10.2
4.10.3
4.10.4
4.10.5
4.10.6
4.10.7
4.10.8
4.10.9
4.10.10
4.10.11
4.11.0-beta1
4.11.0-beta2
4.11.0-beta3
4.11.0-rc1
4.11.0
4.11.1
4.11.2
4.11.3
4.11.4
4.11.5
4.11.6
4.11.7
4.11.8
4.11.9
4.11.10
4.11.11
4.11.12
4.11.13
4.11.14
4.11.15
4.11.16
4.12.0-beta1
4.12.0-rc1
4.12.0
4.12.1
4.12.2
4.12.3
4.12.4
4.12.5
4.12.6
4.12.7
4.13.0-beta1
4.13.0-rc1
4.13.0
4.13.1
4.13.2
4.13.3
4.13.4
4.13.5
4.13.6
4.13.7
4.13.8
4.13.9
4.13.10
4.13.11
4.13.12
4.13.13
4.13.14
4.13.15
4.13.16
4.13.17
4.13.18
4.13.19
4.13.20
4.13.21
4.13.22
4.13.23
4.13.24
4.13.25
4.13.26
4.13.27
4.13.28
4.13.29
4.13.30
4.13.31
4.13.32
4.13.33
4.13.34
4.13.35
4.13.36
4.13.37
4.13.38
4.13.39
4.13.40
4.13.41
4.13.42
4.13.43
4.13.44
5.*
5.0.0-alpha1
5.0.0-beta1
5.0.0-beta2
5.0.0-beta3
5.0.0-rc1
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16
5.0.17
5.0.18
5.0.19
5.0.20
5.0.21
5.0.22
5.0.23
5.1.0-beta1
5.1.0-rc1
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.1.11
5.1.12
5.1.13
5.1.14
5.1.15
5.1.16
5.1.17
5.1.18
5.1.19
5.1.20
5.1.21
5.1.22
5.1.23
5.2.0-beta1
5.2.0-rc1
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.2.10
5.2.11
5.2.12
5.2.13
5.2.14
5.2.15
5.2.16
5.2.17
5.2.18
5.2.19
5.2.20
5.2.21
5.2.22
5.3.0-beta1
5.3.0-rc1
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.13
5.3.14
5.3.15
5.3.16
5.3.17
5.3.18
5.3.19
5.3.20
5.3.21
5.3.22