GHSA-2hpc-mf4q-j885

Source

https://github.com/advisories/GHSA-2hpc-mf4q-j885

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-2hpc-mf4q-j885/GHSA-2hpc-mf4q-j885.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2hpc-mf4q-j885

Published

2024-05-23T19:19:33Z

Modified

2024-11-28T05:23:17.093348Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Silverstripe CSRF vulnerability in GridFieldAddExistingAutocompleter

Details

GridField does not have sufficient CSRF protection, meaning that in some cases users with CMS access can be tricked into posting unspecified data into the CMS from external websites. Amongst other default CMS interfaces, GridField is used for management of groups, users and permissions in the CMS.

The resolution for this issue is to ensure that all gridFieldAlterAction submissions are checked for the SecurityID token during submission.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-352"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-23T19:19:33Z"
}

References

Affected packages

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.17

Affected versions

2.*

2.4.9

2.4.10

2.4.11

2.4.12

2.4.13

2.5.0

3.*

3.0.2.1

3.0.3-rc1

3.0.3-rc2

3.0.3

3.0.4

3.0.5

3.0.6-rc1

3.0.6-rc2

3.0.6

3.0.7-rc1

3.0.7

3.0.8

3.0.9-rc1

3.0.9

3.0.10-rc1

3.0.10

3.0.11-rc1

3.0.11

3.0.12

3.0.13

3.0.14

3.1.0-beta1

3.1.0-beta2

3.1.0-beta3

3.1.0-rc1

3.1.0-rc2

3.1.0-rc3

3.1.0

3.1.1

3.1.2-rc1

3.1.2

3.1.3-rc1

3.1.3-rc2

3.1.3

3.1.4-rc1

3.1.4

3.1.5-rc1

3.1.5

3.1.6-rc1

3.1.6-rc2

3.1.6-rc3

3.1.6

3.1.7-rc1

3.1.7

3.1.8

3.1.9-rc1

3.1.9

3.1.10-rc1

3.1.10-rc2

3.1.10

3.1.11-rc1

3.1.11

3.1.12

3.1.13-rc1

3.1.13

3.1.14-rc1

3.1.14

3.1.15

3.1.16-rc1

3.1.16

3.1.17-rc1

3.1.17-rc2

Database specific

{
    "last_known_affected_version_range": "<= 3.1.16"
}

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.2.0

Fixed

3.2.2

Affected versions

3.*

3.2.0

3.2.1-rc1

3.2.1-rc2

3.2.1

3.2.2-rc1

3.2.2-rc2

Database specific

{
    "last_known_affected_version_range": "<= 3.2.1"
}

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.3.0-beta1

Fixed

3.3.0

Affected versions

3.*

3.3.0-beta1

3.3.0-rc1

3.3.0-rc2

3.3.0-rc3

Database specific

{
    "last_known_affected_version_range": "<= 3.3.0-rc2"
}