CVE-2019-12246: Denial of Service on flush and development URL tools

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: Medium (?)
Identifier:: CVE-2019-12246
Versions Affected:: silverstripe/framework:^4.0, silverstripe/framework:^3.6
Versions Fixed:: silverstripe/framework:4.4.0
Release Date:: 2019-06-10

CSRF attack vector has been identified for authenticated users with administrative privileges. Administrators tricked to open malicious URL may trigger unintended maintenance actions.This includes some of the URL Variable Tools such as ?flush, ?isDev and ?isTest. Another potential target is development admin urls (/dev/*). For example that could be /dev/buildas well as some others provided by SilverStripe add-ons.

CVSS 4.3