Silverstripe Framework user enumeration via timing attack on login and password reset forms
Impact
User enumeration is possible by performing a timing attack on the login or password reset pages with user credentials.
This was originally disclosed in https://www.silverstripe.org/download/security-releases/ss-2017-005/ for CMS 3 but was not patched in CMS 4+
References
- https://www.silverstripe.org/download/security-releases/ss-2017-005
- https://www.silverstripe.org/download/security-releases/ss-2025-001
| Software | From | Fixed in |
|---|---|---|
silverstripe / framework
|
4.0.0 | 5.3.23 |
- https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2025-001.yaml
- https://github.com/silverstripe/silverstripe-framework/pull/11681
- https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-256q-hx8w-xcqx
- https://www.silverstripe.org/download/security-releases/ss-2017-005
- https://www.silverstripe.org/download/security-releases/ss-2025-001
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime