silverstripe/framework sends passwords back to browsers under some circumstances · GHSA-vh7q-j8p5-2h4h · GitHub Advisory Database · GitHub

silverstripe/framework sends passwords back to browsers under some circumstances

Low severity GitHub Reviewed Published May 27, 2024 to the GitHub Advisory Database • Updated May 27, 2024

Package

silverstripe/framework (Composer)

Affected versions

>= 3.5.5-rc1, < 3.7.0

>= 4.0.3-rc1, < 4.0.4

>= 4.1.0-rc1, < 4.1.1

Patched versions

3.7.0

4.0.4

4.1.1

Description

Under some circumstances a form may populate a PasswordField with submitted data, reflecting submitted data back to a user. The user will only see their own submissions for password data, which is not considered best practice. We are not aware of data leaks to other users, devices or sessions.

References

Published to the GitHub Advisory Database May 27, 2024

Reviewed May 27, 2024

Last updated May 27, 2024

Severity

Low

3.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N