SS-2018-024: GraphQL does not validate X-CSRF-TOKEN
- Severity:
- Medium (?)
- Identifier:
- SS-2018-024
- Versions Affected:
- silverstripe/graphql:^4.0
- Versions Fixed:
- silverstripe/graphql:4.0.6, silverstripe/graphql:4.1.4, silverstripe/graphql:4.2.3, silverstripe/graphql:4.3.0
- Release Date:
- 2018-12-12
While the admin modules were sending the appropriate X-CSRF-TOKEN header in all requests, the GraphQL server was not validating them, thereby leaving itself open to CSRF exploitation, particularly on destructive operations.