cbcvebase.
CVE-2023-28104
published 2023-03-16

CVE-2023-28104: silverstripe/graphql Denial of Service vulnerability `silverstripe/graphql` serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1…

high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.05%
60.1th percentile
silverstripe/graphql Denial of Service vulnerability `silverstripe/graphql` serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1, an attacker could use a specially crafted graphql query to execute a denial of service attack against a website which has a publicly exposed graphql endpoint. This mostly affects websites with particularly large/complex graphql schemas. Users should upgrade to `silverstripe/graphql` 4.2.3 or 4.1.2 to remedy the vulnerability.

Affected

4 ranges
VendorProductVersion rangeFixed in
silverstripegraphql>= 4.1.1 < 4.1.24.1.2
silverstripegraphql>= 4.2.2 < 4.2.34.2.3
silverstripesilverstripe-graphql
silverstripesilverstripe-graphql

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cvelistv57.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.