Improper Authentication

Affecting silverstripe/framework package, versions >=3.1.19, <3.1.20 || >=3.2.4, <3.2.5 || >=3.3.2, <3.3.3 || >=3.4.0, <3.4.1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

silverstripe/framework is a PHP framework forming the base for the SilverStripe CMS.

Affected versions of this package are vulnerable to Improper Authentication. If remember me is on and users log in with the box checked, if the developer then disabled "remember me" function, any pre-existing cookies will continue to authenticate users.

Remediation

Upgrade silverstripe/framework to version 3.1.20, 3.2.5, 3.3.3, 3.4.1 or higher.

References

CVSS Score

4.8
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Credit
Patrick Nelson
CWE
CWE-287
Snyk ID
SNYK-PHP-SILVERSTRIPEFRAMEWORK-546515
Disclosed
05 Feb, 2020
Published
05 Feb, 2020