Cross-site Request Forgery (CSRF) Affecting silverstripe/framework package, versions >=3.1.18, <3.1.19 >=3.2.3, <3.2.4 >=3.3.1, <3.3.2
Snyk CVSS
Attack Complexity
High
Confidentiality
High
Integrity
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-SILVERSTRIPEFRAMEWORK-546505
- published 5 Feb 2020
- disclosed 5 Feb 2020
- credit Anthony Thorpe
How to fix?
Upgrade silverstripe/framework
to version 3.1.19, 3.2.4, 3.3.2 or higher.
Overview
silverstripe/framework is a PHP framework forming the base for the SilverStripe CMS.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). LoginForm
method calls disableSecurityToken()
, which causes a "shared host domain" vulnerability.