Lucene search

K
githubGitHub Advisory DatabaseGHSA-2HPC-MF4Q-J885
HistoryMay 23, 2024 - 7:19 p.m.

Silverstripe CSRF vulnerability in GridFieldAddExistingAutocompleter

2024-05-2319:19:33
CWE-352
GitHub Advisory Database
github.com
1
silverstripe
csrf vulnerability
gridfield
csrf protection
cms access
external websites
data submission
management
groups
users
permissions
securityid token

7.1 High

AI Score

Confidence

Low

GridField does not have sufficient CSRF protection, meaning that in some cases users with CMS access can be tricked into posting unspecified data into the CMS from external websites. Amongst other default CMS interfaces, GridField is used for management of groups, users and permissions in the CMS.

The resolution for this issue is to ensure that all gridFieldAlterAction submissions are checked for the SecurityID token during submission.

Affected configurations

Vulners
Node
silverstripeframeworkRange3.3.0-rc2
OR
silverstripeframeworkRange3.2.1
OR
silverstripeframeworkRange3.1.16

7.1 High

AI Score

Confidence

Low