silverstripe/framework's pre-existing alc_enc cookies log users in if remember me is disabled · GHSA-5r8w-66hq-rc39 · GitHub Advisory Database · GitHub

silverstripe/framework's pre-existing alc_enc cookies log users in if remember me is disabled

Low severity GitHub Reviewed Published May 27, 2024 to the GitHub Advisory Database • Updated May 27, 2024

Package

silverstripe/framework (Composer)

Affected versions

>= 3.1.19-rc1, < 3.1.20

>= 3.2.4-rc1, < 3.2.5

>= 3.3.2-rc1, < 3.3.3

>= 3.4.0-rc1, < 3.4.1

Patched versions

3.1.20

3.2.5

3.3.3

3.4.1

Description

If remember me is on and users log in with the box checked, if the developer then disabled "remember me" function, any pre-existing cookies will continue to authenticate users.

References

Published to the GitHub Advisory Database May 27, 2024

Reviewed May 27, 2024

Last updated May 27, 2024

Severity

Low

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

High

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N