Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2016-002: CSRF vulnerability in GridFieldAddExistingAutocompleter

Severity:
High (?)
Identifier:
SS-2016-002
Versions Affected:
3.1.16, 3.2.1, 3.3.0-rc2 and below
Versions Fixed:
3.1.17, 3.2.2, 3.3.0
Release Date:
2016-02-24

GridField does not have sufficient CSRF protection, meaning that in some cases users with CMS access can be tricked into posting unspecified data into the CMS from external websites. Amongst other default CMS interfaces, GridField is used for management of groups, users and permissions in the CMS.

The resolution for this issue is to ensure that all gridFieldAlterAction submissions are checked for the SecurityID token during submission.

CVSS Score: 3.6

Credit to Ashraf Alharbi from Security-Assessment.com for reporting.