cve/2023/CVE-2023-28104.md

### [CVE-2023-28104](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28104)
![](https://img.shields.io/static/v1?label=Product&message=silverstripe-graphql&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3D%204.1.1%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-770%3A%20Allocation%20of%20Resources%20Without%20Limits%20or%20Throttling&color=brighgreen)

### Description

`silverstripe/graphql` serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1, an attacker could use a specially crafted graphql query to execute a denial of service attack against a website which has a publicly exposed graphql endpoint. This mostly affects websites with particularly large/complex graphql schemas. Users should upgrade to `silverstripe/graphql` 4.2.3 or 4.1.2 to remedy the vulnerability.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ARPSyndicate/cvemon