GraphCrawler - GraphQL Automated Security Testing Toolkit

Graph Crawler is the most powerful automated testing toolkit for any GraphQL endpoint. NEW: Can search for endpoints for you using Escape Technology's powerful Graphinder tool. Just point it towards a domain and add the '-e' option and Graphinder will do subdomain enumeration + search popular...

CVE-2022-22897

A SQL injection vulnerability in the productalloneimg and imageproduct parameters of the ApolloTheme AP PageBuilder component through 2.4.4 for PrestaShop allows unauthenticated attackers to exfiltrate database data...

PT-2022-15724 · Apollotheme · Wp Page Builder

Name of the Vulnerable Software and Affected Versions: ApolloTheme AP PageBuilder component through 2.4.4 for PrestaShop Description: A SQL injection issue in the product all one img and image product parameters allows unauthenticated attackers to exfiltrate database data. Recommendations: For...

PrestaShop Ap Pagebuilder 2.4.4 SQL Injection

Exploit Title: AP PAGEBUILDER Prestashop module = 2.4.4 'productalloneimg' , 'imageproduct' Blind SQL Injection Date: 24-08-2022 Exploit Author: Mohamed Ali Hammami Vendor Homepage: https://apollotheme.com/ Software Link : https://apollotheme.com/products/ap-pagebuilder-prestashop-module Version:...

@a11ywatch/a11ywatch (>=0.1.0 <=0.1.65), @a11ywatch/core (>=0.4.52 <=0.5.12) +2 more potentially affected by unknown CVE via apollo-server-core (=3.10.0)

apollo-server-core NPM version =3.10.0 is affected by a known vulnerability. The following packages have a transitive dependency on apollo-server-core and may be impacted: - @a11ywatch/a11ywatch =0.1.0, =0.4.52, =10.7.1, =9.0.0, =9.0.1 Source cves: unknown CVE Source advisory:...

apollo-server-core vulnerable to URL-based XSS attack affecting IE11 on default landing page

Impact The default landing page contained HTML to display a sample curl command which is made visible if the full landing page bundle could not be fetched from Apollo's CDN. The server's URL is directly interpolated into this command inside the browser from window.location.href. On some older...

GHSA-2FVV-QXRQ-7JQ6 apollo-server-core vulnerable to URL-based XSS attack affecting IE11 on default landing page

Impact The default landing page contained HTML to display a sample curl command which is made visible if the full landing page bundle could not be fetched from Apollo's CDN. The server's URL is directly interpolated into this command inside the browser from window.location.href. On some older...

apollo-gateway-rs (>=0.7.5 <=0.7.6), aqlgen (>=0.1.0 <=0.8.0) +61 more potentially affected by unknown CVE via async-graphql (>=1.13.4 <=4.0.16)

async-graphql CARGO version =1.13.4, =0.7.5, =0.1.0, =0.1.0, =0.1.0, =0.0.1-alpha+3, =0.1.0, =2.9.13, =0.1.0-beta.0, =2.9.12, =0.2.0, =1.14.10, =0.1.0, =1.0.0, =4.0.16 and more Source cves: unknown CVE Source advisory: OSV:GHSA-XQ3C-8GQM-V648...

Denial Of Service (DoS)

ruby-apollo-upload-server is vulnerable to Denial Of Service vulnerability. The vulnerability exists in the apollouploadserver which allows an attacker to deny access to all users via specially crafted requests to the apollouploadserver middleware...

Malicious code in apollo-workarounds (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1973fbec21488c56d6b46c53f37d11d5f7f941af456f3569189ca9a22ea5b9fb Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-1057 Malicious code in apollo-federation-ruby (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5201e2567b87839a5bb3c1c2dd4c7c9b275c284349ff04a9c2b348451b979206 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in apollo-federation-ruby (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5201e2567b87839a5bb3c1c2dd4c7c9b275c284349ff04a9c2b348451b979206 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS which allows an attacker to deny access to all users via crafted requests to the apollouploadserver middleware. Details Denial of Service DoS describes a family of attacks, all aimed at making a system inaccessible...

GHSA-WMHW-HPWH-44PG Apache ActiveMQ Apollo XXE Vulnerability

XML external entity XXE vulnerability in Apache ActiveMQ Apollo 1.x before 1.7.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages...

ae-django-utils (=0.3.1), apollo-sdk (>=0.2.0 <=0.2.11) +32 more potentially affected by CVE-2021-45115 via django (>=4.0.0 <=4.0.0rc1)

django PYPI version =4.0.0, =0.2.0, =0.6.1, =2.16.1, =0.1.5, =1.0.7, =0.9.0, =0.4.0, =0.1.0, =0.1.1 and more Source cves: CVE-2021-45115 Source advisory: OSV:GHSA-53QW-Q765-4FWW...

ae-django-utils (=0.3.1), apollo-sdk (>=0.2.0 <=0.2.11) +32 more potentially affected by CVE-2021-45452 via django (>=4.0.0 <=4.0.0rc1)

django PYPI version =4.0.0, =0.2.0, =0.6.1, =2.16.1, =0.1.5, =1.0.7, =0.9.0, =0.4.0, =0.1.0, =0.1.1 and more Source cves: CVE-2021-45452 Source advisory: OSV:PYSEC-2022-3...

@aerogear/voyager-metrics (>=0.7.2-dev.409.01ecc9f.0 <=0.7.2-dev.411.7aaa5a6.0), @aerogear/voyager-server (>=0.7.2-dev.409.01ecc9f.0 <=0.9.1-dev.435.8d846ff.0) +46 more potentially affected by unknown CVE via apollo-server (>=2.0.0 <=2.25.0)

apollo-server NPM version =2.0.0, =0.7.2-dev.409.01ecc9f.0, =0.7.2-dev.409.01ecc9f.0, =2018.8.29-0, =2018.8.28-0, =1.0.0, =0.10.0, =0.0.9, =0.0.11, =0.0.0-alpha.1, =0.0.0-alpha.7, =0.0.0-alpha.3, =3.17.0, =0.0.0-alpha.7, =0.0.0-alpha.7, =3.23.3 and more Source cves: unknown CVE Source advisory:...

4m-node-server (>=0.0.1 <=0.0.8), @2109-t5/server (>=1.0.0 <=1.0.9) +432 more potentially affected by unknown CVE via apollo-server (>=3.10.0 <=3.3.0)

apollo-server NPM version =3.10.0, =0.0.1, =1.0.0, =0.1.0, =0.4.52, =0.0.1, =1.0.7, =10.4.0, =9.0.0, =10.0.0, =10.0.0, =10.5.0, =10.4.0, =0.9.1, =0.9.6 and more Source cves: unknown CVE Source advisory: OSV:GHSA-QM7X-RC44-RRQW...

Cross-site Scripting Vulnerability in GraphQL Playground (distributed by Apollo Server)

Impact In certain configurations, Apollo Server serves the client-side web app "GraphQL Playground" from the same web server that executes GraphQL operations. This web app has access to cookies and other credentials associated with the web server's operations. There is a cross-site scripting...

GHSA-QM7X-RC44-RRQW Cross-site Scripting Vulnerability in GraphQL Playground (distributed by Apollo Server)

Impact In certain configurations, Apollo Server serves the client-side web app "GraphQL Playground" from the same web server that executes GraphQL operations. This web app has access to cookies and other credentials associated with the web server's operations. There is a cross-site scripting...