#git

User enumeration is possible by performing a timing attack on the login or password reset pages with user credentials.

A security protection device in Session designed to protect session hijacking was not correctly functioning. This function intended to protect user sessions by detecting changes in the User-Agent header, but modifications to this header were not correctly invalidating the user session.

Authenticated user with page edit permission can craft HTML, which when rendered in a page history comparison can execute client scripts.

RedirectorPage will allow users to specify a non-url malicious script as the redirection path without validation. Users which follow this url may allow this script to execute within their browser.

In follow up to [SS-2016-001](https://www.silverstripe.org/download/security-releases/ss-2016-001/) there is yet a minor unresolved fix to incorrectly encoded URL.

silverstripe/framework is vulnerable to XSS in Page name where the payload `"><svg/onload=alert(/xss/)>` will trigger an XSS alert.

There is a user ID enumeration vulnerability in our brute force error messages. - Users that don't exist in will never get a locked out message - Users that do exist, will get a locked out message This means an attacker can infer or confirm user details that exist in the member table. This issue has been resolved by ensuring that login attempt logging and lockout process works equivalently for non-existent users as it does for existant users.

List of key / value pairs assigned to `OptionsetField` or `CheckboxSetField` do not have a default casting assigned to them. The effect of this is a potential XSS vulnerability in lists where either key or value contain unescaped HTML.

The core template `framework/templates/Includes/GridField_print.ss` uses "Printed by $Member.Name". If the currently logged in members first name or surname contain XSS, this prints the raw HTML out, because Member->getName() just returns the raw FirstName + Surname as a string, which is injected directly.

If remember me is on and users log in with the box checked, if the developer then disabled "remember me" function, any pre-existing cookies will continue to authenticate users.