silverstripe/framework's User-Agent header not correctly invalidating user session

A security protection device in Session designed to protect session hijacking was not correctly functioning. This function intended to protect user sessions by detecting changes in the User-Agent header, but modifications to this header were not correctly invalidating the user session.

Published: May 27, 2024
Updated: Jun 27, 2024
GHSA: GHSA-4qx8-j9vh-2628
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWEs:

CWE-384

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
silverstripe / framework	3.5.0-rc1	3.5.6
silverstripe / framework	3.6.0-rc1	3.6.3

https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2017-006-1.yaml
https://github.com/silverstripe/silverstripe-framework/commit/44de03da0147e6094b02602b7b73d5b1a1306d78
https://github.com/silverstripe/silverstripe-framework/commit/d47667bb0768841e4b305fa95d5a4e2ba232c4ad
https://www.silverstripe.org/download/security-releases/ss-2017-006

Vulnerability Database

silverstripe/framework's User-Agent header not correctly invalidating user session