CVE-2023-32302

Name of the Vulnerable Software and Affected Versions Silverstripe Framework versions prior to 4.13.4 Silverstripe Framework versions prior to 5.0.13

Description The issue arises when a new member record is created without setting a password, resulting in an empty encrypted password. If an attacker knows the email address associated with such a member record, they can attempt to log in using an empty password. Although the default member authenticator and login form require a non-empty password, custom authentication methods might still allow a successful login with the empty password.

Recommendations For Silverstripe Framework versions prior to 4.13.4, update to version 4.13.4 or later to resolve the issue. For Silverstripe Framework versions prior to 5.0.13, update to version 5.0.13 or later to resolve the issue. To detect existing member records with empty passwords, loop over all member records using Member::get() and pass each record into the memberHasBlankPassword method. Once identified, generate a new secure password for each affected member, mark it as immediately expired, and email the member with instructions to reset their password.