silverstripe/graphql Cross-Site Request Forgery vulnerability

2024-05-2813:13:11

CWE-352

GitHub Advisory Database

github.com

silverstripe

graphql

cross-site request forgery

csrf

protection

authenticated users

url

get request

web server

data mutation

data destruction

AI Score

6.9

Confidence

Low

JSON

The GraphQL controller lacked any CSRF protection, meaning authenticated users could be forced or tricked into visiting a URL that would send a GET request to the affected web server that could mutate or destroy data without the user knowing.

Affected configurations

Vulners

Node

silverstripegraphqlRange2.0.0–2.0.3

VendorProductVersionCPE
silverstripegraphql*cpe:2.3:a:silverstripe:graphql:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
silverstripe	graphql	*	cpe:2.3:a:silverstripe:graphql::::::::

References

github.com/advisories/GHSA-wjg9-v8cf-f5q2

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/SS-2018-007-1.yaml

github.com/silverstripe/silverstripe-graphql/commit/b59ba397ff42d8934bd2d9c932514f898c327f64

www.silverstripe.org/download/security-releases/ss-2018-007

AI Score

6.9

Confidence

Low

JSON