CVE-2023-6394

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and...

Authentication flaw

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and...

CVE-2023-6394 Quarkus: graphql operations over websockets bypass

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and...

CVE-2023-6394 Quarkus: graphql operations over websockets bypass

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and...

CVE-2023-6394

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and...

Quarkus Security Vulnerabilities

Quarkus is a cloud-native Linux container-first framework for writing Java applications. A security vulnerability exists in Quarkus that stems from when a request is received via websocket and role-based permissions are not specified on a GraphQL operation, Quarkus processes the request without...

CVE-2023-47643

SuiteCRM is a Customer Relationship Management CRM software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire...

Authentication flaw

SuiteCRM is a Customer Relationship Management CRM software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire...

CVE-2023-47643 SuiteCRM has Unauthenticated Graphql Introspection Enabled

SuiteCRM is a Customer Relationship Management CRM software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire...

CVE-2023-47643

SuiteCRM before 8.4.2 exposes GraphQL schema via unauthenticated Graphql Introspection, allowing an attacker to enumerate all object types, arguments, and functions (including sensitive fields such as UserHash). This is documented across multiple sources (NVD, Red Hat, OSV, and a dedicated Nuclei...

CVE-2023-47643 SuiteCRM has Unauthenticated Graphql Introspection Enabled

SuiteCRM is a Customer Relationship Management CRM software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire...

CVE-2023-47643 SuiteCRM has Unauthenticated Graphql Introspection Enabled

SuiteCRM is a Customer Relationship Management CRM software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire...

SalesAgility SuiteCRM Security Breach

Salesagility SalesAgility SuiteCRM is a suite of enterprise-grade, open source Customer Relationship Management CRM from Salesagility UK. A security vulnerability exists in SalesAgility SuiteCRM versions prior to 8.4.2 that stems from Graphql Introspection being enabled without authentication,...

VulnCheck KEV: CVE-2021-4191

An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API...

DRUPAL-CONTRIB-2023-051

The GraphQL module enables you to build GraphQL APIs which can include data fetching through Queries and data updates create, update, delete through mutations. The module does not sufficiently validate incoming requests that are made from domains other than the one serving the GraphQL endpoint. I...

PT-2023-7609 · Quarkus · Quarkus

Name of the Vulnerable Software and Affected Versions: Quarkus affected versions not specified Description: The issue is related to the incorrect implementation of the sequence of actions in the Quarkus Java framework's WebSocket technology, resulting from insufficient access restriction when...

GraphQL - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2023-051

The GraphQL module enables you to build GraphQL APIs which can include data fetching through Queries and data updates create, update, delete through mutations. The module does not sufficiently validate incoming requests that are made from domains other than the one serving the GraphQL endpoint. I...

GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2023-050

This module lets you craft and expose a GraphQL schema for Drupal 9 and 10. The module currently does not adequately verify whether a given user has the necessary permissions to access an entity's label creating an access bypass vulnerability. This vulnerability is mitigated by the fact that enti...

A.S. Watson Group : Access to internal info via Graphql on https://tng-api.watsons.com.my

Vulnerability description not provided...

HackerOne: IDOR vulnerability in unreleased HackerOne Copilot feature

An unreleased feature of HackerOne's Copilot was vulnerable to IDOR through a GraphQL mutation. By supplying another user's conversation ID, an attacker could have deleted conversations in the Copilot interface before this issue was addressed...