Silverstripe Brute force bypass on default admin

2024-05-2319:37:11

Google

osv.dev

silverstripe

default admin

brute force

vulnerability

software

7.2 High

AI Score

Confidence

Low

JSON

Default Administrator accounts were not subject to the same brute force protection afforded to other Member accounts. Failed login counts were not logged for default admins resulting in unlimited attempts on the default admin username and password.

CPENameOperatorVersion
silverstripe/frameworkeq3.1.19-rc1
silverstripe/frameworkeq3.2.4-rc1
silverstripe/frameworkeq3.3.1
silverstripe/frameworkeq3.3.2-rc1
silverstripe/frameworkeq3.2.3
silverstripe/frameworkeq3.1.18

Name	Operator	Version
silverstripe/framework	eq	3.1.19-rc1
silverstripe/framework	eq	3.2.4-rc1
silverstripe/framework	eq	3.3.1
silverstripe/framework	eq	3.3.2-rc1
silverstripe/framework	eq	3.2.3
silverstripe/framework	eq	3.1.18

References

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-005-1.yaml

github.com/silverstripe/silverstripe-framework

github.com/silverstripe/silverstripe-framework/commit/f32c893546340c8c279fd1ab6d4269e9d6539bc2

www.silverstripe.org/download/security-releases/ss-2016-005

7.2 High

AI Score

Confidence

Low

JSON