VYPR

Packagist (Composer) package

silverstripe/graphql

pkg:composer/silverstripe/graphql

Vulnerabilities (7)

  • CVE-2023-44401Jan 23, 2024
    affected >= 4.0.0, < 4.3.7fixed 4.3.7

    The Silverstripe CMS GraphQL Server serves Silverstripe data as GraphQL representations. In versions 4.0.0 prior to 4.3.7 and 5.0.0 prior to 5.1.3, `canView` permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is greate

  • CVE-2023-40180Oct 16, 2023
    affected >= 3.0.0, < 3.8.2fixed 3.8.2

    silverstripe-graphql is a package which serves Silverstripe data in GraphQL representations. An attacker could use a recursive graphql query to execute a Distributed Denial of Service attack (DDOS attack) against a website. This mostly affects websites with publicly exposed grap

  • CVE-2023-28104Mar 16, 2023
    affected >= 4.1.1, < 4.1.2fixed 4.1.2

    `silverstripe/graphql` serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1, an attacker could use a specially crafted graphql query to execute a denial of service attack against a website which has a publicly exposed graphql endpoint. This mostly affe

  • CVE-2021-28661Oct 7, 2021
    affected >= 3.0.0, < 3.5.2fixed 3.5.2

    Default SilverStripe GraphQL Server (aka silverstripe/graphql) 3.x through 3.4.1 permission checker not inherited by query subclass.

  • CVE-2020-26136Jun 8, 2021
    affected >= 3.0.0, < 3.5.0fixed 3.5.0

    In SilverStripe through 4.6.0-rc1, GraphQL doesn't honour MFA (multi-factor authentication) when using basic authentication.

  • CVE-2020-6165Jul 15, 2020
    affected >= 3.2.0, < 3.2.4fixed 3.2.4

    SilverStripe 4.5.0 allows attackers to read certain records that should not have been placed into a result set. This affects silverstripe/recipe-cms. The automatic permission-checking mechanism in the silverstripe/graphql module does not provide complete protection against lists

  • CVE-2019-12437Feb 19, 2020
    affected >= 2.0.0, < 2.0.5fixed 2.0.5

    In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations,