SS-2015-023: Advanced workflow member field exposure

November 23, 2015

By default, the CMS Admin editable template for the NotifyUsers action has access to a large number of fields, including (for instance) Member#Password. This would allow a malicious CMS Admin to extract other admin passwords by adding a template emailing these fields to themselves when other admins trigger the workflow. A new configuration option has been added; when this option is set to true via the Config API then only member fields specified via Member.summary_fields may be accessed.

References

www.silverstripe.org/download/security-releases/SS-2015-023

Code Behaviors & Features

Detect and mitigate SS-2015-023 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →