GHSA-p5h2-vr99-xm99

Suggest an improvement
Source
https://github.com/advisories/GHSA-p5h2-vr99-xm99
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-p5h2-vr99-xm99/GHSA-p5h2-vr99-xm99.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-p5h2-vr99-xm99
Published
2024-05-27T18:36:59Z
Modified
2024-05-27T18:48:10.418743Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
silverstripe/framework ChangePasswordForm does not check `Member::canLogIn()`
Details

After performing a password reset, ChangePasswordForm::doChangePassword() logs in the user without checking Member::canLogIn(). This presents an issue for sites that are using the extension point in that method to deny access to users (for example members that have not been “approved”, or members that have had their access revoked temporarily). It looks like Member::canLogIn() was originally designed to only be used for checking whether the user is locked out (due to too many incorrect login attempts) but has been opened up to other uses.

References

Affected packages

Packagist / silverstripe/framework

Package

Name
silverstripe/framework
Purl
pkg:composer/silverstripe/framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.19-rc1
Fixed
3.1.20

Affected versions

3.*

3.1.19-rc1
3.1.19
3.1.20-rc1
3.1.20-rc2

Packagist / silverstripe/framework

Package

Name
silverstripe/framework
Purl
pkg:composer/silverstripe/framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.2.4-rc1
Fixed
3.2.5

Affected versions

3.*

3.2.4-rc1
3.2.4
3.2.5-rc1
3.2.5-rc2

Packagist / silverstripe/framework

Package

Name
silverstripe/framework
Purl
pkg:composer/silverstripe/framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.3.2-rc1
Fixed
3.3.3

Affected versions

3.*

3.3.2-rc1
3.3.2
3.3.3-rc1
3.3.3-rc2

Packagist / silverstripe/framework

Package

Name
silverstripe/framework
Purl
pkg:composer/silverstripe/framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.4.0-rc1
Fixed
3.4.1

Affected versions

3.*

3.4.0-rc1
3.4.0
3.4.1-rc1
3.4.1-rc2