Silverstripe Framework is the MVC framework that powers Silverstripe CMS. When a new member record is created and a password is not set, an empty encrypted password is generated. As a result, if someone is aware of the existence of a member record associated with a specific email address, they can potentially attempt to log in using that empty password. Although the default member authenticator and login form require a non-empty password, alternative authentication methods might still permit a successful login with the empty password. This issue has been patched in versions 4.13.4 and 5.0.13.
CVSS
No CVSS.
References
No reference.
Configurations
No configuration.
History
07 Aug 2023, 22:15
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-20 |
04 Aug 2023, 17:28
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-862 | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.1 |
| CPE | cpe:2.3:a:silverstripe:framework:*:*:*:*:*:*:*:* | |
| References | (MISC) https://github.com/silverstripe/silverstripe-framework/releases/tag/4.13.14 - Release Notes | |
| References | (MISC) https://github.com/silverstripe/silverstripe-framework/commit/7b21b38ac4532d06565dfcefad50540ebd2b50f4 - Patch | |
| References | (MISC) https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-36xx-7vf6-7mv3 - Exploit, Vendor Advisory | |
| References | (MISC) https://github.com/silverstripe/silverstripe-framework/releases/tag/5.0.13 - Release Notes |
01 Aug 2023, 11:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-08-01 11:15
Updated : 2024-02-05 00:01
NVD link : CVE-2023-32302
Mitre link : CVE-2023-32302
CVE.ORG link : CVE-2023-32302
JSON object : View
Products Affected
No product.
CWE
No CWE.