CVE-2024-24556 XSS in @urql/next

urql is a GraphQL client that exposes a set of helpers for several frameworks. The @urql/next package is vulnerable to XSS. To exploit this an attacker would need to ensure that the response returns html tags and that the web-application is using streamed responses non-RSC. This vulnerability is...

CVE-2024-24556

CVE-2024-24556 affects the urql family; specifically the @urql/next package is vulnerable to Cross-Site Scripting (XSS). The root cause is improper escaping of HTML-like characters in the response stream, which attackers could exploit when the application uses streamed responses (non-RSC) and the...

CVE-2024-24556 XSS in @urql/next

urql is a GraphQL client that exposes a set of helpers for several frameworks. The @urql/next package is vulnerable to XSS. To exploit this an attacker would need to ensure that the response returns html tags and that the web-application is using streamed responses non-RSC. This vulnerability is...

CVE-2024-23841 XSS in @apollo/experimental-nextjs-app-support

apollo-client-nextjs is the Apollo Client support for the Next.js App Router. The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this vulnerability, an attacker would need to either inject malicious input e.g. by redirecting...

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

apollo-client-nextjs is the Apollo Client support for the Next.js App Router. The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this vulnerability, an attacker would need to either inject malicious input e.g. by redirecting...

Formidable urql Cross-Site Scripting Vulnerability

Formidable urql is a customizable and versatile GraphQL client from Formidable. A cross-site scripting vulnerability exists in Formidable urql due to incorrect escaping of html-like characters in the response stream...

This Week in Spring - January 30th, 2024

Hi, Spring fans! It's January 30th, and it's a very special week for me as, tomorrow, I celebrate my birthday and the birthday of my biological father with whom I share the same birthday! Happy birthday, dad! Sadly, he passed in 2019. I'm pretty excited! I'm turning 40. Feels good. Almost as good...

Permission Bypass

silverstripe/graphql is vulnerable to Permission Bypass. The vulnerability is due to ORM data in paginated GraphQL queries when the total number of records exceeded the page size. This allows attacker unauthorized access to data beyond the intended permission scope...

CVE-2023-44401

The Silverstripe CMS GraphQL Server serves Silverstripe data as GraphQL representations. In versions 4.0.0 prior to 4.3.7 and 5.0.0 prior to 5.1.3, canView permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is greater than the number o...

Code injection

The Silverstripe CMS GraphQL Server serves Silverstripe data as GraphQL representations. In versions 4.0.0 prior to 4.3.7 and 5.0.0 prior to 5.1.3, canView permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is greater than the number o...

CVE-2023-44401 Silverstripe GraqhQL's view permissions are bypassed for paginated lists of ORM data

The Silverstripe CMS GraphQL Server serves Silverstripe data as GraphQL representations. In versions 4.0.0 prior to 4.3.7 and 5.0.0 prior to 5.1.3, canView permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is greater than the number o...

CVE-2023-44401 Silverstripe GraqhQL's view permissions are bypassed for paginated lists of ORM data

The Silverstripe CMS GraphQL Server serves Silverstripe data as GraphQL representations. In versions 4.0.0 prior to 4.3.7 and 5.0.0 prior to 5.1.3, canView permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is greater than the number o...

CVE-2023-44401 Silverstripe GraqhQL's view permissions are bypassed for paginated lists of ORM data

The Silverstripe CMS GraphQL Server serves Silverstripe data as GraphQL representations. In versions 4.0.0 prior to 4.3.7 and 5.0.0 prior to 5.1.3, canView permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is greater than the number o...

CVE-2023-44401

The CVE-2023-44401 issue affects the Silverstripe GraphQL Server. In Silverstripe CMS versions 4.0.0–4.3.7 and 5.0.0–5.1.2, canView permission checks can be bypassed for ORM data in paginated GraphQL query results where total records exceed a page size (including queries with explicit limits). Th...

GHSA-JGPH-W8RH-XF5P View permissions are bypassed for paginated lists of ORM data

Impact canView permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is greater than the number of records per page. Note that this also affects GraphQL queries which have a limit applied, even if the query isn’t paginated per se. This ha...

View permissions are bypassed for paginated lists of ORM data

Impact canView permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is greater than the number of records per page. Note that this also affects GraphQL queries which have a limit applied, even if the query isn’t paginated per se. This ha...

CVE-2023-44401 View permissions are bypassed for paginated lists of ORM data in GraphQL queries

More info at https://www.silverstripe.org/download/security-releases/CVE-2023-44401...

tRPC vs GraphQL

Deciphering the Cloud Conundrum: An Introduction to tRPC & GraphQL The dynamic domain of cloud technology presents a couple of instrumental methodologies in the arena of APIs: tRPC and GraphQL. Each serves as a potent asset for developers in crafting applications that are resilient, scalable, and...

Security Bulletin: Multiple Security Vulnerabilities were identified in IBM Security Verify Access (CVE-2023-46158, CVE-2023-0482, CVE-2022-46364, CVE-2023-28867)

Summary Security Vulnerability fixes in IBM WebSphere Application Server Liberty and other components have been addressed in an update to IBM Security Verify Access. Vulnerability Details CVEID:CVE-2023-46158 DESCRIPTION: IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 could...

Improper Authorization

@evershop/evershop is vulnerable to Improper Authorization. The vulnerability is due to lack of authorization checks while accessing GraphQL endpoints, resulting in Remote attackers extracting sensitive information...