NVD

Vulnerability Change Records for CVE-2023-32302

Action	Type	Old Value	New Value
Removed	CVSS V3.1	GitHub, Inc. AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N
Removed	CWE	GitHub, Inc. CWE-20
Removed	CWE Reason	CWE-20 / More specific CWE option available
Changed	Description	Silverstripe Framework is the MVC framework that powers Silverstripe CMS. When a new member record is created and a password is not set, an empty encrypted password is generated. As a result, if someone is aware of the existence of a member record associated with a specific email address, they can potentially attempt to log in using that empty password. Although the default member authenticator and login form require a non-empty password, alternative authentication methods might still permit a successful login with the empty password. This issue has been patched in versions 4.13.4 and 5.0.13.	REJECT Authoritative user requested CVE rejection https://github.com/github/advisory-database/pull/2575#issuecomment-1745811653
Removed	Reference	https://github.com/silverstripe/silverstripe-framework/commit/7b21b38ac4532d06565dfcefad50540ebd2b50f4 [Patch]
Removed	Reference	https://github.com/silverstripe/silverstripe-framework/releases/tag/4.13.14 [Release Notes]
Removed	Reference	https://github.com/silverstripe/silverstripe-framework/releases/tag/5.0.13 [Release Notes]
Removed	Reference	https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-36xx-7vf6-7mv3 [Exploit, Vendor Advisory]