CVE-2023-32302: Improper Input Validation
(updated )
Silverstripe Framework is the MVC framework that powers Silverstripe CMS. When a new member record is created and a password is not set, an empty encrypted password is generated. As a result, if someone is aware of the existence of a member record associated with a specific email address, they can potentially attempt to log in using that empty password. Although the default member authenticator and login form require a non-empty password, alternative authentication methods might still permit a successful login with the empty password. This issue has been patched in versions 4.13.4 and 5.0.13.
References
- github.com/advisories/GHSA-36xx-7vf6-7mv3
- github.com/silverstripe/silverstripe-framework/commit/7b21b38ac4532d06565dfcefad50540ebd2b50f4
- github.com/silverstripe/silverstripe-framework/releases/tag/4.13.14
- github.com/silverstripe/silverstripe-framework/releases/tag/5.0.13
- github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-36xx-7vf6-7mv3
- nvd.nist.gov/vuln/detail/CVE-2023-32302
Detect and mitigate CVE-2023-32302 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →