CVE-2019-12203

Description

SilverStripe through 4.3.3 allows session fixation in the "change password" form.

How to fix CVE-2019-12203

To remediate CVE-2019-12203, upgrade the affected package to a fixed version below.

• Packagist/silverstripe/framework—upgrade to 3.7.4 or later

Is CVE-2019-12203 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 3.7.0, < 3.7.4

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-12203
• WEBforum.silverstripe.org/c/releases
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2019-12203.yaml
• WEBgithub.com/silverstripe/silverstripe-framework/blob/4/docs/en/04_Changelogs/4.4.4.md#444