Main Vulnerability Database SB2023073124

SB2023073124 - Improper Authentication in SilverStripe Framework

Published: July 31, 2023 Updated: August 7, 2023

Security Bulletin ID SB2023073124

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Authentication (CVE-ID: CVE-2023-32302)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to it is possible to set a blank password when a new member record is created. A remote attacker can bypass custom login forms

Remediation

Install update from vendor's website.

References

https://www.silverstripe.org/download/security-releases/cve-2023-32302/
https://github.com/silverstripe/silverstripe-framework/pull/10895
https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-36xx-7vf6-7mv3