Lucene search

K

GoogleOSV:GHSA-WJG9-V8CF-F5Q2

HistoryMay 28, 2024 - 1:13 p.m.

silverstripe/graphql Cross-Site Request Forgery vulnerability

2024-05-2813:13:11

Google

osv.dev

16

silverstripe

graphql

csrf

vulnerability

data mutation

web server

authenticated users

AI Score

6.9

Confidence

Low

The GraphQL controller lacked any CSRF protection, meaning authenticated users could be forced or tricked into visiting a URL that would send a GET request to the affected web server that could mutate or destroy data without the user knowing.

References

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/SS-2018-007-1.yaml

github.com/silverstripe/silverstripe-graphql

github.com/silverstripe/silverstripe-graphql/commit/b59ba397ff42d8934bd2d9c932514f898c327f64

www.silverstripe.org/download/security-releases/ss-2018-007

AI Score

6.9

Confidence

Low