Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2018-024: GraphQL does not validate X-CSRF-TOKEN

Severity:
Moderate (?)
Identifier:
SS-2018-024
Versions Affected:
>= 4
Versions Fixed:
4.0.6, 4.1.4, 4.2.3, 4.3.0
Release Date:
2018-12-12

While the admin modules were sending the appropriate X-CSRF-TOKEN header in all requests, the GraphQL server was not validating them, thereby leaving itself open to CSRF exploitation, particularly on destructive operations.