Search for packages
| purl | pkg:composer/silverstripe/graphql@4.5.0 |
| Tags | Ghost |
| Next non-vulnerable version | 5.0.0-alpha1 |
| Latest non-vulnerable version | 5.1.3 |
| Risk | 3.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-n2ar-guzb-qfe1
Aliases: CVE-2020-6165 GHSA-589q-75r3-mfq4 |
Silverstripe has Incorrect Default Permissions SilverStripe 4.5.0 allows attackers to read certain records that should not have been placed into a result set. This affects silverstripe/recipe-cms. The automatic permission-checking mechanism in the silverstripe/graphql module does not provide complete protection against lists that are limited (e.g., through pagination), resulting in records that should have failed a permission check being added to the final result set. GraphQL endpoints are configured by default (e.g., for assets), but the admin/graphql endpoint is access protected by default. This limits the vulnerability to all authenticated users, including those with limited permissions (e.g., where viewing records exposed through admin/graphql requires administrator permissions). However, if custom GraphQL endpoints have been configured for a specific implementation (usually under /graphql), this vulnerability could also be exploited through unauthenticated requests. This vulnerability only applies to reading records; it does not allow unauthorised changing of records. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-02T12:36:55.633638+00:00 | GitLab Importer | Affected by | VCID-n2ar-guzb-qfe1 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/silverstripe/graphql/CVE-2020-6165.yml | 38.0.0 |