SS-2018-013: Passwords sent back to browsers under some circumstances

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: Low (?)
Identifier:: SS-2018-013
Versions Affected:: silverstripe/framework:^3.5, silverstripe/framework:^4.0.3, silverstripe/framework:^4.1.0
Versions Fixed:: silverstripe/framework:3.7.0, silverstripe/framework:4.0.4, silverstripe/framework:4.1.1
Release Date:: 2018-06-28

Under some circumstances a form may populate a PasswordField with submitted data, reflecting submitted data back to a user. The user will only see their own submissions for password data, which is not considered best practice. We are not aware of data leaks to other users, devices or sessions.

Reported by Logan Woods at Aura Information Security.