Under some circumstances a form may populate a PasswordField with submitted data, reflecting submitted data back to a user. The user will only see their own submissions for password data, which is not considered best practice. We are not aware of data leaks to other users, devices or sessions.
github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2018-013-1.yaml
github.com/silverstripe/silverstripe-framework
github.com/silverstripe/silverstripe-framework/commit/c28f411abd4837cdd9dbf87c4457976e678131cb
github.com/silverstripe/silverstripe-framework/commit/f688bcb1a370e41df1b573a24fa3994b3895bacf
www.silverstripe.org/download/security-releases/ss-2018-013