GHSA-2hpc-mf4q-j885 – silverstripe/framework

Package

Manager: composer
Name: silverstripe/framework
Vulnerable Version: >=0 <3.1.17 || >=3.2.0 <3.2.2 || >=3.3.0-beta1 <3.3.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Silverstripe CSRF vulnerability in GridFieldAddExistingAutocompleter GridField does not have sufficient CSRF protection, meaning that in some cases users with CMS access can be tricked into posting unspecified data into the CMS from external websites. Amongst other default CMS interfaces, GridField is used for management of groups, users and permissions in the CMS. The resolution for this issue is to ensure that all gridFieldAlterAction submissions are checked for the SecurityID token during submission.

Metadata

Created: 2024-05-23T19:19:33Z
Modified: 2024-05-23T19:19:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-2hpc-mf4q-j885/GHSA-2hpc-mf4q-j885.json
CWE IDs: ["CWE-352"]
Alternative ID: N/A
Finding: F007
Auto approve: 1