CVE-2023-46942

Lack of authentication in NPM's package @evershop/evershop before version 1.0.0-rc.8, allows remote attackers to obtain sensitive information via improper authorization in GraphQL endpoints...

WWBN AVideo Cross-Site Scripting Vulnerability

WWBN AVideo is a video platform builder written in PHP by the WWBN team. A cross-site scripting vulnerability exists in WWBN AVideo, which stems from a cross-site scripting xss vulnerability in the functiongetOpenGraph videoName method...

Improper Authentication

Overview omniauth-microsoftgraph is an omniauth provider for new Microsoft Graph API. Affected versions of this package are vulnerable to Improper Authentication due to missing validation of the email attribute. An attacker can take over accounts by exploiting the trust placed in the email as a...

CVE-2024-21632

omniauth-microsoftgraph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases...

Information disclosure

omniauth-microsoftgraph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases...

CVE-2024-21632 omniauth-microsoft_graph vulnerable to account takeover (nOAuth)

omniauth-microsoftgraph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases...

CVE-2024-21632 omniauth-microsoft_graph vulnerable to account takeover (nOAuth)

omniauth-microsoftgraph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases...

CVE-2024-21632

The CVE-2024-21632 entry concerns omniauth-microsoft_graph, an Omniauth strategy for Microsoft Graph. Before version 2.0.0, it did not validate the user email attribute (nor provided an option to do so), exposing risk of nOAuth misconfiguration when email is used as a trusted user identifier and ...

CVE-2024-21632 omniauth-microsoft_graph vulnerable to account takeover (nOAuth)

omniauth-microsoftgraph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases...

Omniauth::MicrosoftGraph License Issues Vulnerability

Omniauth::MicrosoftGraph is an Omniauth policy for the Microsoft Graph Api from the individual developer Peter Philips. An authorization issue vulnerability exists in versions of Omniauth::MicrosoftGraph prior to 2.0.0, which stems from a failure to validate the legitimacy of a user's email...

Grackle Security Breach

Grackle is a GraphQL server written in functional Scala from the Typelevel project. A security vulnerability exists in Grackle versions prior to 0.18.0 that stems from the presence of a stack overflow, which could lead to a potential denial of service...

CVE-2023-6690

A race condition in GitHub Enterprise Server allowed an existing admin to maintain permissions on transferred repositories by making a GraphQL mutation to alter repository permissions during the transfer. This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed i...

GHSA-G56X-7J6W-G8R8 Grackle has StackOverflowError in GraphQL query processing

Impact Prior to this fix, the GraphQL query parsing was vulnerable to StackOverflowErrors. The possibility of small queries resulting in stack overflow is a potential denial of service vulnerability. This potentially affects all applications using Grackle which have untrusted users. !CAUTION No...

GHSA-MVC8-6FFP-JRX5 Authorization bypass in Quarkus

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and...

GPAC Security Vulnerabilities

GPAC is an open source multimedia framework. A security vulnerability exists in GPAC version 2.3-DEV-rev602-ged8424300-master, which originates from a denial of service due to a memory leak contained in the NewSFDouble scenegraph/vrmltools.c 300 function...

ownCloud Phpinfo Reader Exploit

Docker containers of ownCloud compiled after February 2023, which have version 0.2.0 before 0.2.1 or 0.3.0 before 0.3.1 of the app graph installed contain a test file which prints phpinfo to an unauthenticated user. A post file name must be appended to the URL to bypass the login filter. Docker m...

Information Disclosure

microsoft/microsoft-graph is vulnerable to Information Disclosure. The vulnerability exists in the phpinfo function of GetPhpInfo.php, allowing an attacker to access unauthorized system information such as configuration details, modules, and environment variables. This vulnerability is only...

CVE-2023-49283

microsoft-graph-core the Microsoft Graph Library for PHP. The Microsoft Graph Beta PHP SDK published packages which contained test code that enabled the use of the phpInfo function from any application that could access and execute the file at...

Design/Logic Flaw

msgraph-sdk-php is the Microsoft Graph Library for PHP. The Microsoft Graph PHP SDK published packages which contained test code that enabled the use of the phpInfo function from any application that could access and execute the file at vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. The...

Design/Logic Flaw

microsoft-graph-core the Microsoft Graph Library for PHP. The Microsoft Graph Beta PHP SDK published packages which contained test code that enabled the use of the phpInfo function from any application that could access and execute the file at...