GHSA-ph62-fv59-vf9h

Suggest an improvement
Source
https://github.com/advisories/GHSA-ph62-fv59-vf9h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-ph62-fv59-vf9h/GHSA-ph62-fv59-vf9h.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-ph62-fv59-vf9h
Published
2024-05-27T21:50:43Z
Modified
2024-12-02T05:26:42.249434Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
silverstripe/framework users inadvertently passing sensitive data to LoginAttempt
Details

All user login attempts are logged in the database in the LoginAttempt table. However, this table contains information in plain text, and may possible contain sensitive information, such as user passwords mis-typed into the username field.

In order to address this a one-way hash is applied to the Email field before being stored.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-311"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-27T21:50:43Z"
}
References

Affected packages

Packagist / silverstripe/framework

Package

Name
silverstripe/framework
Purl
pkg:composer/silverstripe/framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.5.0-rc1
Fixed
3.5.6

Affected versions

3.*

3.5.0-rc1
3.5.0-rc2
3.5.0-rc3
3.5.0
3.5.1-rc1
3.5.1-rc2
3.5.1
3.5.2-rc1
3.5.2
3.5.3-rc1
3.5.3
3.5.4-rc1
3.5.4
3.5.5-beta1
3.5.5-beta2
3.5.5
3.5.6-rc1

Packagist / silverstripe/framework

Package

Name
silverstripe/framework
Purl
pkg:composer/silverstripe/framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.6.0-rc1
Fixed
3.6.3

Affected versions

3.*

3.6.0-rc1
3.6.0
3.6.1-alpha2
3.6.1
3.6.2-beta1
3.6.2-beta2
3.6.2
3.6.3-rc2

Packagist / silverstripe/framework

Package

Name
silverstripe/framework
Purl
pkg:composer/silverstripe/framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0-rc1
Fixed
4.0.1

Affected versions

4.*

4.0.0-rc1
4.0.0-rc2
4.0.0-rc3
4.0.0
4.0.1-rc1