GHSA-ph62-fv59-vf9h: silverstripe/framework users inadvertently passing sensitive data to LoginAttempt
All user login attempts are logged in the database in the LoginAttempt table. However, this table contains information in plain text, and may possible contain sensitive information, such as user passwords mis-typed into the username field.
In order to address this a one-way hash is applied to the Email field before being stored.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2017-009-1.yaml
- github.com/advisories/GHSA-ph62-fv59-vf9h
- github.com/silverstripe/silverstripe-framework
- github.com/silverstripe/silverstripe-framework/commit/3e2bcaa0b49277ff7f7004b265a7fa80d0b92e5c
- github.com/silverstripe/silverstripe-framework/commit/c5d6eb816d4ac5e9fa3d8bc4bd82de95719eb22d
- github.com/silverstripe/silverstripe-framework/commit/f1dd3d6f03eb1d94c29c495994a1da9176a758d9
- www.silverstripe.org/download/security-releases/ss-2017-009
Code Behaviors & Features
Detect and mitigate GHSA-ph62-fv59-vf9h with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →