SS-2018-007: CSRF vulnerability in graphql
- High (?)
- Versions Affected:
- Versions Fixed:
- silverstripe/graphql:2.0.3, silverstripe/graphql:3.0.0
The GraphQL controller lacked any CSRF protection, meaning authenticated users could be forced or tricked into visiting a URL that would send a GET request to the affected web server that could mutate or destroy data without the user knowing.
Reported by Mustafa Hasan