silverstripe/framework users inadvertently passing sensitive data to LoginAttempt

2024-05-2721:50:43

CWE-311

GitHub Advisory Database

github.com

sensitive information

plaintext

user login_attempts

AI Score

6.7

Confidence

Low

JSON

All user login attempts are logged in the database in the LoginAttempt table. However, this table contains information in plain text, and may possible contain sensitive information, such as user passwords mis-typed into the username field.

In order to address this a one-way hash is applied to the Email field before being stored.

Affected configurations

Vulners

Node

silverstripeframeworkRange4.0.0-rc1–4.0.1

silverstripeframeworkRange3.6.0-rc1–3.6.3

silverstripeframeworkRange3.5.0-rc1–3.5.6

VendorProductVersionCPE
silverstripeframework*cpe:2.3:a:silverstripe:framework:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
silverstripe	framework	*	cpe:2.3:a:silverstripe:framework::::::::

References

github.com/advisories/GHSA-ph62-fv59-vf9h

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2017-009-1.yaml

github.com/silverstripe/silverstripe-framework/commit/3e2bcaa0b49277ff7f7004b265a7fa80d0b92e5c

github.com/silverstripe/silverstripe-framework/commit/c5d6eb816d4ac5e9fa3d8bc4bd82de95719eb22d

github.com/silverstripe/silverstripe-framework/commit/f1dd3d6f03eb1d94c29c495994a1da9176a758d9

www.silverstripe.org/download/security-releases/ss-2017-009

AI Score

6.7

Confidence

Low

JSON