GHSA-r3pr-fh25-wrfc: silverstripe/framework's install.php script discloses sensitive data by pre-populating DB credential forms
When accessing the install.php
script it is possible to extract any pre-configured database or default admin account password by viewing the source of the page, and inspecting the value
property of the password fields.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2017-010-1.yaml
- github.com/advisories/GHSA-r3pr-fh25-wrfc
- github.com/silverstripe/silverstripe-framework
- github.com/silverstripe/silverstripe-framework/commit/7a79cd039a96ef54182263d5fbb72addf093b171
- www.silverstripe.org/download/security-releases/ss-2017-010
Detect and mitigate GHSA-r3pr-fh25-wrfc with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →