Lucene search
K

88 matches found

OSV
OSV
added 2023/06/16 7:40 p.m.32 views

GHSA-68JH-RF6X-836F @apollo/server vulnerable to unsafe application of Content Security Policy via reused nonces

Context Content Security Policies CSP are a defense-in-depth strategy against XSS attacks. Improper application of CSP isn't itself a vulnerability, but it does fail to prevent XSS in the event that there is a viable attack vector for an XSS attack. Impact There aren't any XSS attack vectors via...

6AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2023/06/16 7:40 p.m.25 views

@apollo/server vulnerable to unsafe application of Content Security Policy via reused nonces

Context Content Security Policies CSP are a defense-in-depth strategy against XSS attacks. Improper application of CSP isn't itself a vulnerability, but it does fail to prevent XSS in the event that there is a viable attack vector for an XSS attack. Impact There aren't any XSS attack vectors via...

10AI score
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2023/06/16 12:0 a.m.5 views

PT-2023-32982 · Apollo Graphql · Apollo Server

Name of the Vulnerable Software and Affected Versions: Apollo Server versions prior to 4.7.4 Description: The issue concerns the improper application of Content Security Policies CSP in Apollo Server's landing pages, which could fail to prevent XSS attacks if a viable attack vector exists. Althou...

6.2AI score
Exploits0References4
Veracode
Veracode
added 2022/11/04 2:21 a.m.12 views

HTTP Request Smuggling

apollo-server is vulnerable to HTTP request smuggling. The vulnerability exists because the library does not properly set the cache-control response header in the batched HTTP requests, allowing an attacker to smuggle HTTP requests...

1AI score
Exploits0
vulnersOsv
vulnersOsv
added 2022/11/02 6:18 p.m.5 views

@a11ywatch/a11ywatch (>=0.1.0 <=0.1.65), @a11ywatch/core (>=0.4.52 <=0.5.158) +11 more potentially affected by unknown CVE via apollo-server-core (>=3.10.0 <=3.10.4)

apollo-server-core NPM version =3.10.0, =0.1.0, =0.4.52, =0.1.0-alpha.0, =0.1.0-alpha.1, =0.1.0-alpha.0, =0.1.0-alpha.0, =0.1.0-alpha.0, =10.7.1, =9.0.0, =2.0.0-beta.7, =1.0.0, =4.13.1, =1.3.0-beta.2, =2.0.0-beta.2 Source cves: unknown CVE Source advisory: OSV:GHSA-8R69-3CVP-WXC3...

5.8AI score
Exploits0
Github Security Blog
Github Security Blog
added 2022/11/02 6:18 p.m.28 views

Batched HTTP requests may set incorrect `cache-control` response header

Impact In Apollo Server 3 and 4, the cache-control HTTP response header may not reflect the cache policy that should apply to an HTTP request when that HTTP request contains multiple operations using HTTP batching. This could lead to data being inappropriately cached and shared. Apollo Server...

6.3AI score
Exploits0References4Affected Software2
OSV
OSV
added 2022/11/02 6:18 p.m.14 views

GHSA-8R69-3CVP-WXC3 Batched HTTP requests may set incorrect `cache-control` response header

Impact In Apollo Server 3 and 4, the cache-control HTTP response header may not reflect the cache policy that should apply to an HTTP request when that HTTP request contains multiple operations using HTTP batching. This could lead to data being inappropriately cached and shared. Apollo Server...

6.3AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2022/11/02 12:0 a.m.5 views

PT-2022-28222 · Unknown · Apollo Server

Name of the Vulnerable Software and Affected Versions: Apollo Server versions 3.0.0 through 3.10.0 Apollo Server versions 4.0.0 through 4.0.0 Description: The cache-control HTTP response header may not reflect the cache policy for HTTP requests with multiple operations using HTTP batching. This...

7.2AI score
Exploits0References5
GitLab Advisory Database
GitLab Advisory Database
added 2022/11/02 12:0 a.m.16 views

Batched HTTP requests may set incorrect `cache-control` response header

Impact In Apollo Server 3 and 4, the cache-control HTTP response header may not reflect the cache policy that should apply to an HTTP request when that HTTP request contains multiple operations using HTTP batching. This could lead to data being inappropriately cached and shared. Apollo Server...

6.3AI score
Exploits0References4Affected Software1
vulnersOsv
vulnersOsv
added 2022/10/12 2:15 p.m.5 views

@aerogear/voyager-metrics (>=0.7.2-dev.409.01ecc9f.0 <=0.7.2-dev.411.7aaa5a6.0), @aerogear/voyager-server (>=0.7.2-dev.409.01ecc9f.0 <=0.9.1-dev.435.8d846ff.0) +47 more potentially affected by unknown CVE via apollo-server (>=2.0.0 <=2.25.3)

apollo-server NPM version =2.0.0, =0.7.2-dev.409.01ecc9f.0, =0.7.2-dev.409.01ecc9f.0, =2018.8.29-0, =2018.8.28-0, =1.0.0, =0.10.0, =0.0.9, =0.0.11, =0.0.0-alpha.1, =0.0.0-alpha.7, =0.0.0-alpha.3, =3.17.0, =0.0.0-alpha.7, =0.0.0-alpha.7, =3.23.3 and more Source cves: unknown CVE Source advisory:...

5.8AI score
Exploits0
Github Security Blog
Github Security Blog
added 2022/10/12 2:15 p.m.23 views

The graphql-upload library included in Apollo Server 2 is vulnerable to CSRF mutations

Impact The graphql-upload npm package can execute GraphQL operations contained in content-type: multipart/form-data POST requests. Because they are POST requests, they can contain GraphQL mutations. Because they use content-type: multipart/form-data, they can be "simple requests" which are not...

7AI score
Exploits0References4Affected Software1
OSV
OSV
added 2022/10/12 2:15 p.m.5 views

GHSA-2P3C-P3QW-69R4 The graphql-upload library included in Apollo Server 2 is vulnerable to CSRF mutations

Impact The graphql-upload npm package can execute GraphQL operations contained in content-type: multipart/form-data POST requests. Because they are POST requests, they can contain GraphQL mutations. Because they use content-type: multipart/form-data, they can be "simple requests" which are not...

6AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2022/10/12 12:0 a.m.5 views

PT-2022-28174 · Apollo · Apollo Server 2 +1

Name of the Vulnerable Software and Affected Versions: Apollo Server 2 versions prior to 2.25.4 Apollo Server versions that manually integrate with graphql-upload and do not have CSRF prevention enabled Description: The graphql-upload npm package can execute GraphQL operations contained in...

7.2AI score
Exploits0References5
Kitploit
Kitploit
added 2022/09/10 12:30 p.m.58 views

GraphCrawler - GraphQL Automated Security Testing Toolkit

Graph Crawler is the most powerful automated testing toolkit for any GraphQL endpoint. NEW: Can search for endpoints for you using Escape Technology's powerful Graphinder tool. Just point it towards a domain and add the '-e' option and Graphinder will do subdomain enumeration + search popular...

7.4AI score
Exploits0References5
vulnersOsv
vulnersOsv
added 2022/08/18 6:55 p.m.5 views

@a11ywatch/a11ywatch (>=0.1.0 <=0.1.65), @a11ywatch/core (>=0.4.52 <=0.5.12) +2 more potentially affected by unknown CVE via apollo-server-core (=3.10.0)

apollo-server-core NPM version =3.10.0 is affected by a known vulnerability. The following packages have a transitive dependency on apollo-server-core and may be impacted: - @a11ywatch/a11ywatch =0.1.0, =0.4.52, =10.7.1, =9.0.0, =9.0.1 Source cves: unknown CVE Source advisory:...

5.8AI score
Exploits0
OSV
OSV
added 2022/08/18 6:55 p.m.4 views

GHSA-2FVV-QXRQ-7JQ6 apollo-server-core vulnerable to URL-based XSS attack affecting IE11 on default landing page

Impact The default landing page contained HTML to display a sample curl command which is made visible if the full landing page bundle could not be fetched from Apollo's CDN. The server's URL is directly interpolated into this command inside the browser from window.location.href. On some older...

6AI score
Exploits0References3
vulnersOsv
vulnersOsv
added 2021/11/08 6:7 p.m.11 views

4m-node-server (>=0.0.1 <=0.0.8), @2109-t5/server (>=1.0.0 <=1.0.9) +433 more potentially affected by unknown CVE via apollo-server (>=3.10.0 <=3.3.0)

apollo-server NPM version =3.10.0, =0.0.1, =1.0.0, =0.1.0, =0.4.52, =0.0.1, =1.0.7, =10.4.0, =9.0.0, =10.0.0, =10.0.0, =10.5.0, =10.4.0, =0.9.1, =0.9.6 and more Source cves: unknown CVE Source advisory: OSV:GHSA-QM7X-RC44-RRQW...

5.7AI score
Exploits0
vulnersOsv
vulnersOsv
added 2021/11/08 6:7 p.m.12 views

@aerogear/voyager-metrics (>=0.7.2-dev.409.01ecc9f.0 <=0.7.2-dev.411.7aaa5a6.0), @aerogear/voyager-server (>=0.7.2-dev.409.01ecc9f.0 <=0.9.1-dev.435.8d846ff.0) +46 more potentially affected by unknown CVE via apollo-server (>=2.0.0 <=2.25.0)

apollo-server NPM version =2.0.0, =0.7.2-dev.409.01ecc9f.0, =0.7.2-dev.409.01ecc9f.0, =2018.8.29-0, =2018.8.28-0, =1.0.0, =0.10.0, =0.0.9, =0.0.11, =0.0.0-alpha.1, =0.0.0-alpha.7, =0.0.0-alpha.3, =3.17.0, =0.0.0-alpha.7, =0.0.0-alpha.7, =3.23.3 and more Source cves: unknown CVE Source advisory:...

5.8AI score
Exploits0
Github Security Blog
Github Security Blog
added 2021/11/08 6:7 p.m.33 views

Cross-site Scripting Vulnerability in GraphQL Playground (distributed by Apollo Server)

Impact In certain configurations, Apollo Server serves the client-side web app "GraphQL Playground" from the same web server that executes GraphQL operations. This web app has access to cookies and other credentials associated with the web server's operations. There is a cross-site scripting...

0.5AI score
Exploits0References2Affected Software1
OSV
OSV
added 2021/11/08 6:7 p.m.82 views

GHSA-QM7X-RC44-RRQW Cross-site Scripting Vulnerability in GraphQL Playground (distributed by Apollo Server)

Impact In certain configurations, Apollo Server serves the client-side web app "GraphQL Playground" from the same web server that executes GraphQL operations. This web app has access to cookies and other credentials associated with the web server's operations. There is a cross-site scripting...

6.3AI score
Exploits0References2
Rows per page
Query Builder