SS-2018-007: GraphQL lacks CSRF
- Severity:
- Medium (?)
- Identifier:
- SS-2018-007
- Versions Affected:
- >= 4
- Versions Fixed:
- 4.0.5, 4.1.3, 4.2.2, 4.3.0-rc1
- Release Date:
- 2018-11-07
The GraphQL server used by the CMS is exposed to a CSRF vulnerability that allows attackers to force admins to delete all the files on their SilverStripe installation due to the fact that the deletion request is sent without proper validation of the origin of the request or a CSRF token that prevents such acts.
Reported by Mustafa Hasan