silverstripe/framework vulnerable to user enumeration via timing attack on login and password reset forms
High severity
GitHub Reviewed
Published
May 27, 2024
to the GitHub Advisory Database
•
Updated May 27, 2024
Package
Affected versions
>= 3.5.0-rc1, < 3.5.5
>= 3.6.0-rc1, < 3.6.2
Patched versions
3.5.5
3.6.2
Description
Published to the GitHub Advisory Database
May 27, 2024
Reviewed
May 27, 2024
Last updated
May 27, 2024
User enumeration is possible by performing a timing attack on the login or password reset pages with user credentials.
References