Search for vulnerabilities
| Vulnerability ID | VCID-bwrh-updj-zkfs |
| Aliases |
GHSA-g84q-cq55-xwgp
|
| Summary | silverstripe/framework member disclosure in login form There is a user ID enumeration vulnerability in our brute force error messages. - Users that don't exist in will never get a locked out message - Users that do exist, will get a locked out message This means an attacker can infer or confirm user details that exist in the member table. This issue has been resolved by ensuring that login attempt logging and lockout process works equivalently for non-existent users as it does for existant users. |
| Status | Published |
| Exploitability | 0.5 |
| Weighted Severity | 6.2 |
| Risk | 3.1 |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| cvssv3.1_qr | MODERATE | https://github.com/advisories/GHSA-g84q-cq55-xwgp |
| cvssv3.1 | 5.3 | https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2017-002-1.yaml |
| generic_textual | MODERATE | https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2017-002-1.yaml |
| cvssv3.1 | 5.3 | https://github.com/silverstripe/silverstripe-framework |
| generic_textual | MODERATE | https://github.com/silverstripe/silverstripe-framework |
| cvssv3.1 | 5.3 | https://github.com/silverstripe/silverstripe-framework/commit/f71efb5063c57d823dd130b9bfd018f6ef903d49 |
| generic_textual | MODERATE | https://github.com/silverstripe/silverstripe-framework/commit/f71efb5063c57d823dd130b9bfd018f6ef903d49 |
| cvssv3.1 | 5.3 | https://www.silverstripe.org/download/security-releases/ss-2017-002 |
| generic_textual | MODERATE | https://www.silverstripe.org/download/security-releases/ss-2017-002 |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-06-04T16:21:46.409971+00:00 | GitLab Importer | Import | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/framework/GHSA-g84q-cq55-xwgp.yml | 38.6.0 |