silverstripe/framework's pre-existing alc_enc cookies log users in if remember me is disabled

2024-05-2718:53:40

CWE-613

GitHub Advisory Database

github.com

silverstripe framework

pre-existing cookies

authenticate users

remember me

software

AI Score

Confidence

Low

JSON

If remember me is on and users log in with the box checked, if the developer then disabled “remember me” function, any pre-existing cookies will continue to authenticate users.

Affected configurations

Vulners

Node

silverstripeframeworkRange3.4.0-rc1–3.4.1

silverstripeframeworkRange3.3.2-rc1–3.3.3

silverstripeframeworkRange3.2.4-rc1–3.2.5

silverstripeframeworkRange3.1.19-rc1–3.1.20

VendorProductVersionCPE
silverstripeframework*cpe:2.3:a:silverstripe:framework:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
silverstripe	framework	*	cpe:2.3:a:silverstripe:framework::::::::

References

github.com/advisories/GHSA-5r8w-66hq-rc39

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-014-1.yaml

github.com/silverstripe/silverstripe-framework/commit/1c7d5de51bcdf16ebb21c5a0ebe5fe9e31f9a822

github.com/silverstripe/silverstripe-framework/commit/b1f449762b5d11658b11d5036d5ae361a95fd61e

github.com/silverstripe/silverstripe-framework/commit/d1163d87b70e3e147f22a1e423b9f70f6fd85e8f

github.com/silverstripe/silverstripe-framework/commit/fa7f5af8618a83c865b11fd6cc981ad9661046e6

www.silverstripe.org/download/security-releases/ss-2016-014

AI Score

Confidence

Low

JSON