GHSA-2hpc-mf4q-j885: Silverstripe CSRF vulnerability in GridFieldAddExistingAutocompleter
GridField does not have sufficient CSRF protection, meaning that in some cases users with CMS access can be tricked into posting unspecified data into the CMS from external websites. Amongst other default CMS interfaces, GridField is used for management of groups, users and permissions in the CMS.
The resolution for this issue is to ensure that all gridFieldAlterAction submissions are checked for the SecurityID token during submission.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-002-1.yaml
- github.com/advisories/GHSA-2hpc-mf4q-j885
- github.com/silverstripe/silverstripe-framework
- github.com/silverstripe/silverstripe-framework/commit/013524af5069bb0cf909853f04418d9bef56d18c
- github.com/silverstripe/silverstripe-framework/commit/56e92f5a32e45849cc9361c8603c31d7010c9d36
- github.com/silverstripe/silverstripe-framework/commit/e2c77c5a8f13e901c51a3684210811559b592f0c
- www.silverstripe.org/download/security-releases/ss-2016-002
Code Behaviors & Features
Detect and mitigate GHSA-2hpc-mf4q-j885 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →