silverstripe/framework sends passwords back to browsers under some circumstances
Under some circumstances a form may populate a PasswordField with submitted data, reflecting submitted data back to a user. The user will only see their own submissions for password data, which is not considered best practice. We are not aware of data leaks to other users, devices or sessions.
| Software | From | Fixed in |
|---|---|---|
silverstripe / framework
|
3.5.5-rc1 | 3.7.0 |
|
silverstripe / framework
|
4.0.3-rc1 | 4.0.4 |
|
silverstripe / framework
|
4.1.0-rc1 | 4.1.1 |
- https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2018-013-1.yaml
- https://github.com/silverstripe/silverstripe-framework/commit/c28f411abd4837cdd9dbf87c4457976e678131cb
- https://github.com/silverstripe/silverstripe-framework/commit/f688bcb1a370e41df1b573a24fa3994b3895bacf
- https://www.silverstripe.org/download/security-releases/ss-2018-013
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime