Lucene search

K
githubGitHub Advisory DatabaseGHSA-W8FQ-XGVH-CXC2
HistoryMay 23, 2024 - 2:41 p.m.

Silverstripe Forum Module CSRF Vulnerability

2024-05-2314:41:16
CWE-352
CWE-425
GitHub Advisory Database
github.com
1
silverstripe
forum
csrf
vulnerability
malicious user
get requests
members
forums
csrf bypass
anti-spam
forum moderator
specially crafted url
topic moved
michael strong
discovery

7.1 High

AI Score

Confidence

High

A number of form actions in the Forum module are directly accessible. A malicious user (e.g. spammer) can use GET requests to create Members and post to forums, bypassing CSRF and anti-spam measures.

Additionally, a forum moderator could be tricked into clicking a specially crafted URL, resulting in a topic being moved.

Thanks to Michael Strong for discovering.

Affected configurations

Vulners
Node
silverstripesilverstripeRange0.7.3
OR
silverstripesilverstripeRange0.6.1

7.1 High

AI Score

Confidence

High