silverstripe/graphql Cross-Site Request Forgery vulnerability

The GraphQL controller lacked any CSRF protection, meaning authenticated users could be forced or tricked into visiting a URL that would send a GET request to the affected web server that could mutate or destroy data without the user knowing.

Published: May 28, 2024
Updated: Jun 27, 2024
GHSA: GHSA-wjg9-v8cf-f5q2
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

CWEs:

CWE-352

Affected Software
References

Software	From	Fixed in
silverstripe / graphql	2.0.0	2.0.3

https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/SS-2018-007-1.yaml
https://github.com/silverstripe/silverstripe-graphql/commit/b59ba397ff42d8934bd2d9c932514f898c327f64
https://www.silverstripe.org/download/security-releases/ss-2018-007

Vulnerability Database

silverstripe/graphql Cross-Site Request Forgery vulnerability