silverstripe/framework's pre-existing alc_enc cookies log users in if remember me is disabled

If remember me is on and users log in with the box checked, if the developer then disabled "remember me" function, any pre-existing cookies will continue to authenticate users.

Published: May 27, 2024
Updated: Jun 27, 2024
GHSA: GHSA-5r8w-66hq-rc39
Severity: Low
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

CWEs:

CWE-613

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
silverstripe / framework	3.1.19-rc1	3.1.20
silverstripe / framework	3.2.4-rc1	3.2.5
silverstripe / framework	3.3.2-rc1	3.3.3
silverstripe / framework	3.4.0-rc1	3.4.1

https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-014-1.yaml
https://github.com/silverstripe/silverstripe-framework/commit/1c7d5de51bcdf16ebb21c5a0ebe5fe9e31f9a822
https://github.com/silverstripe/silverstripe-framework/commit/b1f449762b5d11658b11d5036d5ae361a95fd61e
https://github.com/silverstripe/silverstripe-framework/commit/d1163d87b70e3e147f22a1e423b9f70f6fd85e8f
https://github.com/silverstripe/silverstripe-framework/commit/fa7f5af8618a83c865b11fd6cc981ad9661046e6
https://www.silverstripe.org/download/security-releases/ss-2016-014

Vulnerability Database

silverstripe/framework's pre-existing alc_enc cookies log users in if remember me is disabled