Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2018-007: CSRF vulnerability in graphql

Severity:
High (?)
Identifier:
SS-2018-007
Versions Affected:
silverstripe/graphql:^2.0
Versions Fixed:
silverstripe/graphql:2.0.3, silverstripe/graphql:3.0.0

The GraphQL controller lacked any CSRF protection, meaning authenticated users could be forced or tricked into visiting a URL that would send a GET request to the affected web server that could mutate or destroy data without the user knowing.

Reported by Mustafa Hasan