Guysartorelli

**Name of the Vulnerable Software and Affected Versions** Silverstripe Admin versions 1.x prior to 1.13.19 Silverstripe Admin versions 2.x prior to 2.1.8 **Description** The issue allows users who don't have edit or delete permissions for records exposed in a `ModelAdmin` to still edit or delete records using the CSV import form, provided they have create permissions. The likelihood of a user having create permissions but not having edit or delete permissions is low, but it is possible. This doesn't affect any `ModelAdmin` which has had the import form disabled via the `showImportForm` public property. **Recommendations** For Silverstripe Admin versions 1.x prior to 1.13.19, update to version 1.13.19 or later. For Silverstripe Admin versions 2.x prior to 2.1.8, update to version 2.1.8 or later. If you have a custom implementation of `BulkLoader`, update your implementation to respect permissions when the return value of `getCheckPermissions()` is true. If you are using any `BulkLoader` in your own project logic, or maintain a module which uses it, consider passing `true` to `setCheckPermissions()` if the data is provided by users.

**Name of the Vulnerable Software and Affected Versions** silverstripe/graphql versions 4.1.1 through 4.2.2 **Description** The issue allows an attacker to execute a denial of service attack against a website with a publicly exposed GraphQL endpoint using a specially crafted GraphQL query. This mostly affects websites with particularly large or complex GraphQL schemas. If the Silverstripe CMS project does not expose a public-facing GraphQL schema, a user account is required to trigger the attack. Hosting the site behind a content delivery network (CDN) may further mitigate the risk. **Recommendations** For versions 4.1.1 and 4.2.2, upgrade to silverstripe/graphql 4.1.2 or 4.2.3 to remedy the vulnerability. As a temporary workaround, consider restricting access to the publicly exposed GraphQL endpoint until the issue is resolved. If the site is hosted behind a CDN, ensure the CDN configuration is up-to-date to maximize the mitigation of the risk.