First published: Tue Jun 08 2021(Updated: )
CVE-2020-26136 GraphQL doesn't honour MFA when using basic auth
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
composer/silverstripe/graphql | >=3.0.0<3.5.0>=4.0.0-alpha1<4.0.0-alpha2 | |
Silverstripe silverstripe | <4.6.0 | |
Silverstripe silverstripe | =4.6.0-rc1 | |
composer/silverstripe/graphql | >=4.0.0-alpha1<4.0.0-alpha2 | 4.0.0-alpha2 |
composer/silverstripe/graphql | >=3.0.0<3.5.0 | 3.5.0 |
<4.6.0 | ||
=4.6.0-rc1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-26136 is a vulnerability in SilverStripe where GraphQL doesn't honour MFA (multi-factor authentication) when using basic authentication.
The severity level of CVE-2020-26136 is medium with a CVSS score of 6.5.
SilverStripe versions 3.0.0 up to 3.5.0, 4.0.0-alpha1 up to 4.0.0-alpha2, 4.6.0-rc1, and all versions prior to 4.6.0-rc1 are affected by CVE-2020-26136.
CVE-2020-26136 allows an attacker to bypass multi-factor authentication when using basic authentication in SilverStripe applications with GraphQL.
To fix CVE-2020-26136, update your SilverStripe installation to version 4.6.0-rc1 or higher, or apply the patches provided by SilverStripe.