Search for packages
| purl | pkg:composer/silverstripe/graphql@2.0.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-414d-7bfm-kud7
Aliases: CVE-2021-28661 GHSA-r7rh-g777-g5gx |
Incorrect Authorization Default SilverStripe GraphQL Server (aka silverstripe/graphql) permission checker is not inherited by query subclass. |
Affected by 1 other vulnerability. |
|
VCID-ajga-3b99-yugh
Aliases: CVE-2020-26136 GHSA-mg2g-8pwj-r2j2 |
Authentication bypass in SilverStripe GraphQL The GraphQL module accepts basic-auth as an authentication method by default. This can be used to bypass MFA authentication if the silverstripe/mfa module is installed, which is now a commonly installed module. A users password is still required though. Basic-auth has been removed as a default authentication method. If desired, it can be re-enabled by adding it to the authenticators key of a schema, or on SilverStripe\Graphql\Auth\Handler |
Affected by 3 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-cdgj-bdpy-ukak
Aliases: CVE-2019-12437 GHSA-fx37-56v6-85q6 |
Cross-Site Request Forgery (CSRF) Cross Site Request Forgery (CSRF) Protection Bypass in GraphQL. |
Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-jdwy-ny15-zfg3
Aliases: GHSA-wjg9-v8cf-f5q2 |
silverstripe/graphql Cross-Site Request Forgery vulnerability The GraphQL controller lacked any CSRF protection, meaning authenticated users could be forced or tricked into visiting a URL that would send a GET request to the affected web server that could mutate or destroy data without the user knowing. |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||