GHSA-p5h2-vr99-xm99: silverstripe/framework ChangePasswordForm does not check `Member::canLogIn()`
After performing a password reset, ChangePasswordForm::doChangePassword() logs in the user without checking Member::canLogIn(). This presents an issue for sites that are using the extension point in that method to deny access to users (for example members that have not been “approved”, or members that have had their access revoked temporarily). It looks like Member::canLogIn() was originally designed to only be used for checking whether the user is locked out (due to too many incorrect login attempts) but has been opened up to other uses.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-011-1.yaml
- github.com/advisories/GHSA-p5h2-vr99-xm99
- github.com/silverstripe/silverstripe-framework
- github.com/silverstripe/silverstripe-framework/commit/2b30ade44d333a4da4d13b31ffa28d0a34597442
- github.com/silverstripe/silverstripe-framework/commit/6606d986634f5b5dec16462acaa8d9a513c29fec
- github.com/silverstripe/silverstripe-framework/commit/6d41db77fa78f473db7bcff389456c980ef4e412
- github.com/silverstripe/silverstripe-framework/commit/782c18fd13b9fb92707d0ea3b231023204928297
- www.silverstripe.org/download/security-releases/ss-2016-011
Code Behaviors & Features
Detect and mitigate GHSA-p5h2-vr99-xm99 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →