Packagist (Composer) package
silverstripe/graphql
pkg:composer/silverstripe/graphql
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-44401 | — | >= 4.0.0, < 4.3.7 | 4.3.7 | Jan 23, 2024 | The Silverstripe CMS GraphQL Server serves Silverstripe data as GraphQL representations. In versions 4.0.0 prior to 4.3.7 and 5.0.0 prior to 5.1.3, `canView` permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is greate | ||
| CVE-2023-40180 | — | >= 3.0.0, < 3.8.2 | 3.8.2 | Oct 16, 2023 | silverstripe-graphql is a package which serves Silverstripe data in GraphQL representations. An attacker could use a recursive graphql query to execute a Distributed Denial of Service attack (DDOS attack) against a website. This mostly affects websites with publicly exposed grap | ||
| CVE-2023-28104 | — | >= 4.1.1, < 4.1.2 | 4.1.2 | Mar 16, 2023 | `silverstripe/graphql` serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1, an attacker could use a specially crafted graphql query to execute a denial of service attack against a website which has a publicly exposed graphql endpoint. This mostly affe | ||
| CVE-2021-28661 | — | >= 3.0.0, < 3.5.2 | 3.5.2 | Oct 7, 2021 | Default SilverStripe GraphQL Server (aka silverstripe/graphql) 3.x through 3.4.1 permission checker not inherited by query subclass. | ||
| CVE-2020-26136 | — | >= 3.0.0, < 3.5.0 | 3.5.0 | Jun 8, 2021 | In SilverStripe through 4.6.0-rc1, GraphQL doesn't honour MFA (multi-factor authentication) when using basic authentication. | ||
| CVE-2020-6165 | — | >= 3.2.0, < 3.2.4 | 3.2.4 | Jul 15, 2020 | SilverStripe 4.5.0 allows attackers to read certain records that should not have been placed into a result set. This affects silverstripe/recipe-cms. The automatic permission-checking mechanism in the silverstripe/graphql module does not provide complete protection against lists | ||
| CVE-2019-12437 | — | >= 2.0.0, < 2.0.5 | 2.0.5 | Feb 19, 2020 | In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations, |
- CVE-2023-44401Jan 23, 2024affected >= 4.0.0, < 4.3.7fixed 4.3.7
The Silverstripe CMS GraphQL Server serves Silverstripe data as GraphQL representations. In versions 4.0.0 prior to 4.3.7 and 5.0.0 prior to 5.1.3, `canView` permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is greate
- CVE-2023-40180Oct 16, 2023affected >= 3.0.0, < 3.8.2fixed 3.8.2
silverstripe-graphql is a package which serves Silverstripe data in GraphQL representations. An attacker could use a recursive graphql query to execute a Distributed Denial of Service attack (DDOS attack) against a website. This mostly affects websites with publicly exposed grap
- CVE-2023-28104Mar 16, 2023affected >= 4.1.1, < 4.1.2fixed 4.1.2
`silverstripe/graphql` serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1, an attacker could use a specially crafted graphql query to execute a denial of service attack against a website which has a publicly exposed graphql endpoint. This mostly affe
- CVE-2021-28661Oct 7, 2021affected >= 3.0.0, < 3.5.2fixed 3.5.2
Default SilverStripe GraphQL Server (aka silverstripe/graphql) 3.x through 3.4.1 permission checker not inherited by query subclass.
- CVE-2020-26136Jun 8, 2021affected >= 3.0.0, < 3.5.0fixed 3.5.0
In SilverStripe through 4.6.0-rc1, GraphQL doesn't honour MFA (multi-factor authentication) when using basic authentication.
- CVE-2020-6165Jul 15, 2020affected >= 3.2.0, < 3.2.4fixed 3.2.4
SilverStripe 4.5.0 allows attackers to read certain records that should not have been placed into a result set. This affects silverstripe/recipe-cms. The automatic permission-checking mechanism in the silverstripe/graphql module does not provide complete protection against lists
- CVE-2019-12437Feb 19, 2020affected >= 2.0.0, < 2.0.5fixed 2.0.5
In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations,