Silverstripe Framework is the MVC framework that powers Silverstripe CMS. When a new member record is created and a password is not set, an empty encrypted password is generated. As a result, if someone is aware of the existence of a member record associated with a specific email address, they can potentially attempt to log in using that empty password. Although the default member authenticator and login form require a non-empty password, alternative authentication methods might still permit a successful login with the empty password. This issue has been patched in versions 4.13.4 and 5.0.13.

** REJECT ** Authoritative user requested CVE rejection
https://github.com/github/advisory-database/pull/2575#issuecomment-1745811653

GitHub, Inc. AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N

GitHub, Inc. CWE-20

https://github.com/silverstripe/silverstripe-framework/commit/7b21b38ac4532d06565dfcefad50540ebd2b50f4 [Patch]

https://github.com/silverstripe/silverstripe-framework/releases/tag/4.13.14 [Release Notes]

https://github.com/silverstripe/silverstripe-framework/releases/tag/5.0.13 [Release Notes]

https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-36xx-7vf6-7mv3 [Exploit, Vendor Advisory]

CWE-20 / More specific CWE option available