CVE-2020-4038

2020-06-0821:15:09

Google

osv.dev

0.002 Low

EPSS

Percentile

52.1%

JSON

GraphQL Playground (graphql-playground-html NPM package) before version 1.6.22 have a severe XSS Reflection attack vulnerability. All unsanitized user input passed into renderPlaygroundPage() method could trigger this vulnerability. This has been patched in graphql-playground-html version 1.6.22. Note that some of the associated dependent middleware packages are also affected including but not limited to graphql-playground-middleware-express before version 1.7.16, graphql-playground-middleware-koa before version 1.6.15, graphql-playground-middleware-lambda before version 1.7.17, and graphql-playground-middleware-hapi before 1.6.13.

CPENameOperatorVersion
graphql-playgroundeq1.7.0
graphql-playgroundeq[email protected]
graphql-playgroundeq[email protected]
graphql-playgroundeq1.3.21
graphql-playgroundeq[email protected]
graphql-playgroundeq1.6.1
graphql-playgroundeq1.8.2
graphql-playgroundeq1.0.0
graphql-playgroundeq1.6.2
graphql-playgroundeq1.3.6

Name	Operator	Version
graphql-playground	eq	1.7.0
graphql-playground	eq	[email protected]
graphql-playground	eq	[email protected]
graphql-playground	eq	1.3.21
graphql-playground	eq	[email protected]
graphql-playground	eq	1.6.1
graphql-playground	eq	1.8.2
graphql-playground	eq	1.0.0
graphql-playground	eq	1.6.2
graphql-playground	eq	1.3.6