Silverstripe Brute force bypass on default admin

Default Administrator accounts were not subject to the same brute force protection afforded to other Member accounts. Failed login counts were not logged for default admins resulting in unlimited attempts on the default admin username and password.

Published: May 23, 2024
Updated: Jun 27, 2024
GHSA: GHSA-8v6m-7f5v-hhx6
Severity: Critical
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWEs:

CWE-307

Affected Software
References

Software	From	Fixed in
silverstripe / framework	3.1.18	3.1.19
silverstripe / framework	3.2.3	3.2.4
silverstripe / framework	3.3.1	3.3.2

https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-005-1.yaml
https://github.com/silverstripe/silverstripe-framework/commit/f32c893546340c8c279fd1ab6d4269e9d6539bc2
https://www.silverstripe.org/download/security-releases/ss-2016-005

Vulnerability Database

Silverstripe Brute force bypass on default admin