GHSA-vj2j-6g3w-4662: Silverstripe Missing CSRF protection in login form
LoginForm calls disableSecurityToken(), which causes a “shared host domain” vulnerability: http://stackoverflow.com/a/15350123.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-006-1.yaml
- github.com/advisories/GHSA-vj2j-6g3w-4662
- github.com/silverstripe/silverstripe-framework
- github.com/silverstripe/silverstripe-framework/commit/a6bd22ab2f3b11a054d20be13306a19089510989
- stackoverflow.com/questions/6412813/do-login-forms-need-tokens-against-csrf-attacks/15350123
- www.silverstripe.org/download/security-releases/ss-2016-006
Code Behaviors & Features
Detect and mitigate GHSA-vj2j-6g3w-4662 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →