silverstripe/framework's install.php script discloses sensitive data by pre-populating DB credential forms

2024-05-2722:54:06

CWE-200

GitHub Advisory Database

github.com

silverstripe

install.php

sensitive data disclosure

database credentials

default admin password

7.2 High

AI Score

Confidence

Low

JSON

When accessing the install.php script it is possible to extract any pre-configured database or default admin account password by viewing the source of the page, and inspecting the value property of the password fields.

Affected configurations

Vulners

Node

silverstripeframeworkRange<4.0.1

CPENameOperatorVersion
silverstripe/frameworklt4.0.1

CPE	Name	Operator	Version
	silverstripe/framework	lt	4.0.1

References

github.com/advisories/GHSA-r3pr-fh25-wrfc

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2017-010-1.yaml

github.com/silverstripe/silverstripe-framework/commit/7a79cd039a96ef54182263d5fbb72addf093b171

www.silverstripe.org/download/security-releases/ss-2017-010

7.2 High

AI Score

Confidence

Low

JSON