GHSA-4qx8-j9vh-2628: silverstripe/framework's User-Agent header not correctly invalidating user session
A security protection device in Session designed to protect session hijacking was not correctly functioning. This function intended to protect user sessions by detecting changes in the User-Agent header, but modifications to this header were not correctly invalidating the user session.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2017-006-1.yaml
- github.com/advisories/GHSA-4qx8-j9vh-2628
- github.com/silverstripe/silverstripe-framework
- github.com/silverstripe/silverstripe-framework/commit/44de03da0147e6094b02602b7b73d5b1a1306d78
- github.com/silverstripe/silverstripe-framework/commit/d47667bb0768841e4b305fa95d5a4e2ba232c4ad
- www.silverstripe.org/download/security-releases/ss-2017-006
Code Behaviors & Features
Detect and mitigate GHSA-4qx8-j9vh-2628 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →