silverstripe/framework vulnerable to member disclosure in login form
Moderate severity
GitHub Reviewed
Published
May 27, 2024
to the GitHub Advisory Database
Package
Affected versions
>= 4.0.0-rc1, < 4.0.4
>= 4.1.0-rc1, < 4.1.1
Patched versions
4.0.4
4.1.1
Description
Published to the GitHub Advisory Database
May 27, 2024
Reviewed
May 27, 2024
There is a user ID enumeration vulnerability in our brute force error messages.
This means an attacker can infer or confirm user details that exist in the member table.
This issue has been resolved by ensuring that login attempt logging and lockout process works equivalently for non-existent users as it does for existant users.
This is a regression of SS-2017-002.
References