GHSA-p5h2-vr99-xm99

Source

https://github.com/advisories/GHSA-p5h2-vr99-xm99

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-p5h2-vr99-xm99/GHSA-p5h2-vr99-xm99.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p5h2-vr99-xm99

Published

2024-05-27T18:36:59Z

Modified

2024-12-02T05:47:41.315810Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

silverstripe/framework ChangePasswordForm does not check `Member::canLogIn()`

Details

After performing a password reset, ChangePasswordForm::doChangePassword() logs in the user without checking Member::canLogIn(). This presents an issue for sites that are using the extension point in that method to deny access to users (for example members that have not been “approved”, or members that have had their access revoked temporarily). It looks like Member::canLogIn() was originally designed to only be used for checking whether the user is locked out (due to too many incorrect login attempts) but has been opened up to other uses.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-287"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-27T18:36:59Z"
}

References

Affected packages

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.19-rc1

Fixed

3.1.20

Affected versions

3.*

3.1.19-rc1

3.1.19

3.1.20-rc1

3.1.20-rc2

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.2.4-rc1

Fixed

3.2.5

Affected versions

3.*

3.2.4-rc1

3.2.4

3.2.5-rc1

3.2.5-rc2

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.3.2-rc1

Fixed

3.3.3

Affected versions

3.*

3.3.2-rc1

3.3.2

3.3.3-rc1

3.3.3-rc2

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.4.0-rc1

Fixed

3.4.1

Affected versions

3.*

3.4.0-rc1

3.4.0

3.4.1-rc1

3.4.1-rc2