VulnerableCode Package Details - pkg:composer/silverstripe/graphql@2.0.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-414d-7bfm-kud7 Aliases: CVE-2021-28661 GHSA-r7rh-g777-g5gx	Incorrect Authorization Default SilverStripe GraphQL Server (aka silverstripe/graphql) permission checker is not inherited by query subclass.	3.5.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-ajga-3b99-yugh Aliases: CVE-2020-26136 GHSA-mg2g-8pwj-r2j2	Authentication bypass in SilverStripe GraphQL The GraphQL module accepts basic-auth as an authentication method by default. This can be used to bypass MFA authentication if the silverstripe/mfa module is installed, which is now a commonly installed module. A users password is still required though. Basic-auth has been removed as a default authentication method. If desired, it can be re-enabled by adding it to the authenticators key of a schema, or on SilverStripe\Graphql\Auth\Handler	3.5.0 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.6.0-alpha1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 4.0.0-alpha2 Affected by 0 other vulnerabilities.
VCID-cdgj-bdpy-ukak Aliases: CVE-2019-12437 GHSA-fx37-56v6-85q6	Cross-Site Request Forgery (CSRF) Cross Site Request Forgery (CSRF) Protection Bypass in GraphQL.	2.0.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.1.2 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-414d-7bfm-kud7
Aliases:
CVE-2021-28661
GHSA-r7rh-g777-g5gx

Incorrect Authorization Default SilverStripe GraphQL Server (aka silverstripe/graphql) permission checker is not inherited by query subclass.

3.5.2
Affected by 1 other vulnerability.

VCID-ajga-3b99-yugh
Aliases:
CVE-2020-26136
GHSA-mg2g-8pwj-r2j2

Authentication bypass in SilverStripe GraphQL The GraphQL module accepts basic-auth as an authentication method by default. This can be used to bypass MFA authentication if the silverstripe/mfa module is installed, which is now a commonly installed module. A users password is still required though. Basic-auth has been removed as a default authentication method. If desired, it can be re-enabled by adding it to the authenticators key of a schema, or on SilverStripe\Graphql\Auth\Handler

3.5.0
Affected by 3 other vulnerabilities.

3.6.0-alpha1
Affected by 1 other vulnerability.

4.0.0-alpha2
Affected by 0 other vulnerabilities.

VCID-cdgj-bdpy-ukak
Aliases:
CVE-2019-12437
GHSA-fx37-56v6-85q6

Cross-Site Request Forgery (CSRF) Cross Site Request Forgery (CSRF) Protection Bypass in GraphQL.

2.0.5
Affected by 2 other vulnerabilities.

3.1.2
Affected by 3 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-jdwy-ny15-zfg3	silverstripe/graphql Cross-Site Request Forgery vulnerability The GraphQL controller lacked any CSRF protection, meaning authenticated users could be forced or tricked into visiting a URL that would send a GET request to the affected web server that could mutate or destroy data without the user knowing.	GHSA-wjg9-v8cf-f5q2

Vulnerability

Summary

Aliases

VCID-jdwy-ny15-zfg3

silverstripe/graphql Cross-Site Request Forgery vulnerability The GraphQL controller lacked any CSRF protection, meaning authenticated users could be forced or tricked into visiting a URL that would send a GET request to the affected web server that could mutate or destroy data without the user knowing.

GHSA-wjg9-v8cf-f5q2

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:59:50.824228+00:00	GitLab Importer	Fixing	VCID-jdwy-ny15-zfg3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/graphql/GHSA-wjg9-v8cf-f5q2.yml	38.4.0
2026-04-16T21:32:00.424861+00:00	GitLab Importer	Affected by	VCID-414d-7bfm-kud7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/graphql/CVE-2021-28661.yml	38.4.0
2026-04-16T21:26:01.596694+00:00	GitLab Importer	Affected by	VCID-ajga-3b99-yugh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/graphql/CVE-2020-26136.yml	38.4.0
2026-04-16T20:55:18.002028+00:00	GitLab Importer	Affected by	VCID-cdgj-bdpy-ukak	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/graphql/CVE-2019-12437.yml	38.4.0
2026-04-12T00:17:51.766706+00:00	GitLab Importer	Fixing	VCID-jdwy-ny15-zfg3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/graphql/GHSA-wjg9-v8cf-f5q2.yml	38.3.0
2026-04-11T22:45:15.881405+00:00	GitLab Importer	Affected by	VCID-414d-7bfm-kud7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/graphql/CVE-2021-28661.yml	38.3.0
2026-04-11T22:38:51.458903+00:00	GitLab Importer	Affected by	VCID-ajga-3b99-yugh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/graphql/CVE-2020-26136.yml	38.3.0
2026-04-11T22:06:17.187782+00:00	GitLab Importer	Affected by	VCID-cdgj-bdpy-ukak	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/graphql/CVE-2019-12437.yml	38.3.0
2026-04-03T00:25:04.733969+00:00	GitLab Importer	Fixing	VCID-jdwy-ny15-zfg3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/graphql/GHSA-wjg9-v8cf-f5q2.yml	38.1.0
2026-04-02T22:55:11.962357+00:00	GitLab Importer	Affected by	VCID-414d-7bfm-kud7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/graphql/CVE-2021-28661.yml	38.1.0
2026-04-02T22:49:30.005308+00:00	GitLab Importer	Affected by	VCID-ajga-3b99-yugh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/graphql/CVE-2020-26136.yml	38.1.0
2026-04-02T22:19:06.945851+00:00	GitLab Importer	Affected by	VCID-cdgj-bdpy-ukak	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/graphql/CVE-2019-12437.yml	38.1.0
2026-04-02T12:39:22.868824+00:00	GitLab Importer	Fixing	VCID-jdwy-ny15-zfg3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/graphql/GHSA-wjg9-v8cf-f5q2.yml	38.0.0
2026-04-01T17:13:29.652916+00:00	GitLab Importer	Affected by	VCID-414d-7bfm-kud7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/graphql/CVE-2021-28661.yml	38.0.0
2026-04-01T17:07:25.429860+00:00	GitLab Importer	Affected by	VCID-ajga-3b99-yugh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/graphql/CVE-2020-26136.yml	38.0.0
2026-04-01T16:36:52.656670+00:00	GitLab Importer	Affected by	VCID-cdgj-bdpy-ukak	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/graphql/CVE-2019-12437.yml	38.0.0
2026-04-01T16:05:32.211698+00:00	GHSA Importer	Fixing	VCID-jdwy-ny15-zfg3	https://github.com/advisories/GHSA-wjg9-v8cf-f5q2	38.0.0
2026-04-01T12:51:57.650020+00:00	GithubOSV Importer	Fixing	VCID-jdwy-ny15-zfg3	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-wjg9-v8cf-f5q2/GHSA-wjg9-v8cf-f5q2.json	38.0.0