Silverstripe Missing CSRF protection in login form
Moderate severity
GitHub Reviewed
Published
May 23, 2024
to the GitHub Advisory Database
•
Updated May 23, 2024
Package
Affected versions
>= 3.1.18, < 3.1.19
>= 3.2.3, < 3.2.4
>= 3.3.1, < 3.3.2
Patched versions
3.1.19
3.2.4
3.3.2
Description
Published to the GitHub Advisory Database
May 23, 2024
Reviewed
May 23, 2024
Last updated
May 23, 2024
LoginForm calls disableSecurityToken(), which causes a "shared host domain" vulnerability: http://stackoverflow.com/a/15350123.
References