GHSA-ph62-fv59-vf9h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-ph62-fv59-vf9h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-ph62-fv59-vf9h/GHSA-ph62-fv59-vf9h.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-ph62-fv59-vf9h
- Published
- 2024-05-27T21:50:43Z
- Modified
- 2024-12-02T05:26:42.249434Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- silverstripe/framework users inadvertently passing sensitive data to LoginAttempt
- Details
-
All user login attempts are logged in the database in the LoginAttempt table. However, this table contains information in plain text, and may possible contain sensitive information, such as user passwords mis-typed into the username field.
In order to address this a one-way hash is applied to the Email field before being stored.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-311" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-05-27T21:50:43Z" }- References
-
- https://github.com/silverstripe/silverstripe-framework/commit/3e2bcaa0b49277ff7f7004b265a7fa80d0b92e5c
- https://github.com/silverstripe/silverstripe-framework/commit/c5d6eb816d4ac5e9fa3d8bc4bd82de95719eb22d
- https://github.com/silverstripe/silverstripe-framework/commit/f1dd3d6f03eb1d94c29c495994a1da9176a758d9
- https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2017-009-1.yaml
- https://github.com/silverstripe/silverstripe-framework
- https://www.silverstripe.org/download/security-releases/ss-2017-009
Affected packages
Packagist / silverstripe/framework
Package
- Name
- silverstripe/framework
- Purl
- pkg:composer/silverstripe/framework
Packagist / silverstripe/framework
Package
- Name
- silverstripe/framework
- Purl
- pkg:composer/silverstripe/framework
Packagist / silverstripe/framework
Package
- Name
- silverstripe/framework
- Purl
- pkg:composer/silverstripe/framework