GHSA-wjg9-v8cf-f5q2: silverstripe/graphql Cross-Site Request Forgery vulnerability
The GraphQL controller lacked any CSRF protection, meaning authenticated users could be forced or tricked into visiting a URL that would send a GET request to the affected web server that could mutate or destroy data without the user knowing.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/SS-2018-007-1.yaml
- github.com/advisories/GHSA-wjg9-v8cf-f5q2
- github.com/silverstripe/silverstripe-graphql
- github.com/silverstripe/silverstripe-graphql/commit/b59ba397ff42d8934bd2d9c932514f898c327f64
- www.silverstripe.org/download/security-releases/ss-2018-007
Code Behaviors & Features
Detect and mitigate GHSA-wjg9-v8cf-f5q2 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →