GHSA-w8fq-xgvh-cxc2: 
PHP vulnerability analysis and mitigation

The Silverstripe Forum Module CSRF Vulnerability (GHSA-w8fq-xgvh-cxc2) was discovered in 2015 affecting Silverstripe Forum module versions 0.6.1 and below, as well as versions 0.7.0 to 0.7.3. The vulnerability was patched in versions 0.6.2, 0.7.4, and 0.8.0. The issue was disclosed on August 10, 2015, and was discovered by Michael Strong (Silverstripe Advisory).

The vulnerability allowed direct access to several form actions in the Forum module. The issue was rated as Moderate severity with a CVSS score of 5.3. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) and CWE-425. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network vector attack with low complexity and no privileges required (GitHub Advisory).

The vulnerability allowed malicious users to bypass CSRF and anti-spam measures, enabling them to create Members and post to forums using GET requests. Additionally, forum moderators could be tricked into moving topics by clicking specially crafted URLs (Silverstripe Advisory).

The vulnerability was fixed by removing form actions from allowed_actions to prevent direct access. Users should upgrade to patched versions: 0.6.2, 0.7.4, or 0.8.0 (GitHub Commit).