GHSA-wjg9-v8cf-f5q2

Опубликовано: 28 мая 2024

Источник: github

Github: Прошло ревью

CVSS3: 7.3

Описание

silverstripe/graphql Cross-Site Request Forgery vulnerability

The GraphQL controller lacked any CSRF protection, meaning authenticated users could be forced or tricked into visiting a URL that would send a GET request to the affected web server that could mutate or destroy data without the user knowing.

Ссылки

https://github.com/silverstripe/silverstripe-graphql/commit/b59ba397ff42d8934bd2d9c932514f898c327f64
https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/SS-2018-007-1.yaml
https://www.silverstripe.org/download/security-releases/ss-2018-007

Пакеты

Наименование

silverstripe/graphql

composer

Затронутые версииВерсия исправления

>= 2.0.0, < 2.0.3

2.0.3

7.3 High

CVSS3

Дефекты

CWE-352

7.3 High

CVSS3

Дефекты

CWE-352