Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2018-007: GraphQL lacks CSRF

Severity:
Medium (?)
Identifier:
SS-2018-007
Versions Affected:
>= 4
Versions Fixed:
4.0.5, 4.1.3, 4.2.2, 4.3.0-rc1
Release Date:
2018-11-07

The GraphQL server used by the CMS is exposed to a CSRF vulnerability that allows attackers to force admins to delete all the files on their SilverStripe installation due to the fact that the deletion request is sent without proper validation of the origin of the request or a CSRF token that prevents such acts.

Reported by Mustafa Hasan