silverstripe/framework sends passwords back to browsers under some circumstances

Under some circumstances a form may populate a PasswordField with submitted data, reflecting submitted data back to a user. The user will only see their own submissions for password data, which is not considered best practice. We are not aware of data leaks to other users, devices or sessions.

Published: May 27, 2024
Updated: Jun 27, 2024
GHSA: GHSA-vh7q-j8p5-2h4h
Severity: Low
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
silverstripe / framework	3.5.5-rc1	3.7.0
silverstripe / framework	4.0.3-rc1	4.0.4
silverstripe / framework	4.1.0-rc1	4.1.1

https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2018-013-1.yaml
https://github.com/silverstripe/silverstripe-framework/commit/c28f411abd4837cdd9dbf87c4457976e678131cb
https://github.com/silverstripe/silverstripe-framework/commit/f688bcb1a370e41df1b573a24fa3994b3895bacf
https://www.silverstripe.org/download/security-releases/ss-2018-013

Vulnerability Database

silverstripe/framework sends passwords back to browsers under some circumstances