GHSA-vh7q-j8p5-2h4h: 
PHP vulnerability analysis and mitigation

A security vulnerability (GHSA-vh7q-j8p5-2h4h) was discovered in the SilverStripe framework where passwords could be sent back to browsers under certain circumstances. The issue affects SilverStripe framework versions ^3.5, ^4.0.3, and ^4.1.0, and was fixed in versions 3.7.0, 4.0.4, and 4.1.1. The vulnerability was disclosed on June 28, 2018 (SilverStripe Advisory).

The vulnerability occurs when a form populates a PasswordField with submitted data, reflecting the submitted password data back to the user. The issue has been assigned a Low severity rating with a CVSS v3.1 score of 3.5. The CVSS metrics indicate Network attack vector, Low attack complexity, Low privileges required, User interaction required, Unchanged scope, Low confidentiality impact, and No impact on integrity or availability (GitHub Advisory).

The vulnerability allows users to see their own submitted password data reflected back in the browser, which is considered a security best practice violation. However, there is no evidence of password data leaks to other users, devices, or sessions (SilverStripe Advisory).

The issue has been fixed in SilverStripe framework versions 3.7.0, 4.0.4, and 4.1.1. Users should upgrade to these patched versions to resolve the vulnerability. The fix involves modifications to prevent password fields from reflecting submitted data back to users (SilverStripe Advisory).