Lucene search

K

GoogleOSV:GHSA-R3PR-FH25-WRFC

HistoryMay 27, 2024 - 10:54 p.m.

silverstripe/framework's install.php script discloses sensitive data by pre-populating DB credential forms

2024-05-2722:54:06

Google

osv.dev

7

silverstripe

framework

install.php

sensitive data

pre-populating

db credential

password fields

AI Score

7.2

Confidence

Low

When accessing the install.php script it is possible to extract any pre-configured database or default admin account password by viewing the source of the page, and inspecting the value property of the password fields.

References

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2017-010-1.yaml

github.com/silverstripe/silverstripe-framework

github.com/silverstripe/silverstripe-framework/commit/7a79cd039a96ef54182263d5fbb72addf093b171

www.silverstripe.org/download/security-releases/ss-2017-010

AI Score

7.2

Confidence

Low