53 matches found
CVE-2023-42319
Geth aka go-ethereum through 1.13.4, when --http --graphql is used, allows remote attackers to cause a denial of service memory consumption and daemon hang via a crafted GraphQL query. NOTE: the vendor's position is that the "graphql endpoint is not designed to withstand attacks by hostile client...
CVE-2023-42319
Geth aka go-ethereum through 1.13.4, when --http --graphql is used, allows remote attackers to cause a denial of service memory consumption and daemon hang via a crafted GraphQL query. NOTE: the vendor's position is that the "graphql endpoint is not designed to withstand attacks by hostile client...
Geth Security Breach
Geth is a library in the Geth open source. A security vulnerability exists in Geth 1.13.4 and earlier versions that stems from allowing an attacker to cause a denial of service DOS via a specially crafted graphql query...
Improper Access Control
@keystone-6/core is vulnerable to Improper Access Control. The vulnerability exists when the ui.isAccessAllowed parameter in the KeystoneMeta function of adminMetaSchema.ts is set as undefined, which allows an attacker to access the admin meta GraphQL query if the session strategy is not defined...
Silverstripe CMS GraphQL Server 安全漏洞
Silverstripe CMS GraphQL Server is a tool that makes SilverStripe data available as a GraphQL representation. A security vulnerability exists in Silverstripe CMS GraphQL Server versions 4.2.2 and 4.1.1. An attacker exploiting this vulnerability could perform a denial-of-service attack against a...
Ibexa GraphQL Bundle 安全漏洞
Ibexa GraphQL Bundle is an Ibexa open source GraphQL server for the eZ platform, open source Symfony CMS. A security vulnerability exists in Ibexa GraphQL Bundle versions prior to 2.3.12 and 1.0.13, which stems from the fact that its insecure storage of sensitive information results in...
CVE-2019-25060 WP-GraphQL < 0.3.5 - Improper Access Control
The WPGraphQL WordPress plugin before 0.3.5 doesn't properly restrict access to information about other users' roles on the affected site. Because of this, a remote attacker could forge a GraphQL query to retrieve the account roles of every user on the site...
LY Corporation: Deleting someone else's profile image with a GraphQL query in programming education service (https://entry.line.me)
LINE entry is a service that provides programming education for children https://entry.line.me. LINE entry provides users with the ability to add profile images. It was possible to delete other people's profile images or thumbnails using a GraphQL query...
CVE-2020-15126
In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object...
CVE-2020-15126
In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object...
HackerOne: Customer private program can disclose email any users through invited via username
Summary: Hey team,This bug could have been used by my calculations a long time ago Steps To Reproduce: 1Go to https://hackerone.com/hackeroneh1pbbp3/launch 2Take invite via username 3Input username , send invite 3.1When an invite is created, we get a token 4Now Go use GraphQL query...
HackerOne: Private program disclosure via `vpn_suspended` GraphQL query
Summary: vpnsuspended of Team object got exposed Description: An attacker can get vpnsuspended value of any program including external program which also have private program eg. █████ and external program which does not have private program What an attacker can do with this ? If an external...
HackerOne: Invited team member can disclosure slack channels
Summary: Hello, this report is similar to 505493 also still waiting for response, but accent is totally on another thing. I think it is important and should be fixed, and so i create new report. Invited team member without any permission can disclosure private channel names of slack integration. ...