4 matches found
silverstripe/framework ChangePasswordForm does not check `Member::canLogIn()`
After performing a password reset, ChangePasswordForm::doChangePassword logs in the user without checking Member::canLogIn. This presents an issue for sites that are using the extension point in that method to deny access to users for example members that have not been “approved”, or members that...
GHSA-P5H2-VR99-XM99 silverstripe/framework ChangePasswordForm does not check `Member::canLogIn()`
After performing a password reset, ChangePasswordForm::doChangePassword logs in the user without checking Member::canLogIn. This presents an issue for sites that are using the extension point in that method to deny access to users for example members that have not been “approved”, or members that...
Cross-Site Scripting (XSS)
silverstripe/framework is vulnerable to cross-site scripting XSS attacks. Using the validation message password parameter in ChangePasswordForm.php, attackers can inject web script or HTML...
SS-2016-011: ChangePasswordForm does not check Member::canLogIn()
More info at https://www.silverstripe.org/download/security-releases/ss-2016-011/...