Silverstripe : Security Vulnerabilities, CVEs, (Denial of service)
silverstripe-graphql is a package which serves Silverstripe data in GraphQL representations. An attacker could use a recursive graphql query to execute a Distributed Denial of Service attack (DDOS attack) against a website. This mostly affects websites with publicly exposed graphql schemas. If your Silverstripe CMS project does not expose a public facing graphql schema, a user account is required to trigger the DDOS attack. If your site is hosted behind a content delivery network (CDN), such as Imperva or CloudFlare, this may further mitigate the risk. This issue has been addressed in versions 3.8.2, 4.1.3, 4.2.5, 4.3.4, and 5.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Max CVSS
7.5
EPSS Score
0.06%
Published
2023-10-16
Updated
2023-10-23
`silverstripe/graphql` serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1, an attacker could use a specially crafted graphql query to execute a denial of service attack against a website which has a publicly exposed graphql endpoint. This mostly affects websites with particularly large/complex graphql schemas. Users should upgrade to `silverstripe/graphql` 4.2.3 or 4.1.2 to remedy the vulnerability.
Max CVSS
7.5
EPSS Score
0.14%
Published
2023-03-16
Updated
2023-03-22
SilverStripe through 4.3.3 allows a Denial of Service on flush and development URL tools.
Max CVSS
4.3
EPSS Score
0.07%
Published
2020-02-19
Updated
2020-02-20
3 vulnerabilities found