The GraphQL controller lacked any CSRF protection, meaning authenticated users could be forced or tricked into visiting a URL that would send a GET request to the affected web server that could mutate or destroy data without the user knowing.
Vendor | Product | Version | CPE |
---|---|---|---|
silverstripe | graphql | * | cpe:2.3:a:silverstripe:graphql:*:*:*:*:*:*:*:* |