GHSA-256q-hx8w-xcqx: Silverstripe Framework user enumeration via timing attack on login and password reset forms
User enumeration is possible by performing a timing attack on the login or password reset pages with user credentials.
This was originally disclosed in https://www.silverstripe.org/download/security-releases/ss-2017-005/ for CMS 3 but was not patched in CMS 4+
References
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2025-001.yaml
- github.com/advisories/GHSA-256q-hx8w-xcqx
- github.com/silverstripe/silverstripe-framework
- github.com/silverstripe/silverstripe-framework/pull/11681
- github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-256q-hx8w-xcqx
- nvd.nist.gov/vuln/detail/CVE-2017-12849
- www.silverstripe.org/download/security-releases/ss-2017-005
- www.silverstripe.org/download/security-releases/ss-2025-001
Code Behaviors & Features
Detect and mitigate GHSA-256q-hx8w-xcqx with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →