CVE-2023-32302 Information
Description
Silverstripe Framework is the MVC framework that powers Silverstripe CMS. When a new member record is created and a password is not set an empty encrypted password is generated. As a result if someone is aware of the existence of a member record associated with a specific email address they can potentially attempt to log in using that empty password. Although the default member authenticator and login form require a non-empty password alternative authentication methods might still permit a successful login with the empty password. This issue has been patched in versions 4.13.4 and 5.0.13.
Reference
https://github.com/silverstripe/silverstripe-framework/commit/7b21b38ac4532d06565dfcefad50540ebd2b50f4 https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-36xx-7vf6-7mv3 https://github.com/silverstripe/silverstripe-framework/releases/tag/4.13.14 https://github.com/silverstripe/silverstripe-framework/releases/tag/5.0.13
Share on: