CVE-2023-40180 Denial of service vulnerability in silverstripe-graphql via recursive queries

silverstripe-graphql is a package which serves Silverstripe data in GraphQL representations. An attacker could use a recursive graphql query to execute a Distributed Denial of Service attack DDOS attack against a website. This mostly affects websites with publicly exposed graphql schemas. If your...

CVE-2023-40180 DDOS Vulnerability on GraphQL due to lack of protection against recursive queries

More info at https://www.silverstripe.org/download/security-releases/CVE-2023-40180...

Shopify: IDOR on GraphQL queries BillingDocumentDownload and BillDetails

A vulnerability allowed unauthorized access to billing invoice information for other merchants...

HackerOne: Organization members can delete reports in teams they have no access to

Reports in teams could be deleted by organization members without access to those teams. The vulnerability allowed deletion of analytics reports for restricted teams through a GraphQL mutation even when members lacked permissions to view or edit those reports...

PT-2023-36348 · Unknown · Graphql Mesh

Name of the Vulnerable Software and Affected Versions: GraphQL Mesh affected versions not specified Description: GraphQL Mesh is a framework and gateway for GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, and databases. When a user transforms on the root level or...

CVE-2023-43799

Altair is a GraphQL Client. Prior to version 5.2.5, the Altair GraphQL Client Desktop Application does not sanitize external URLs before passing them to the underlying system. Moreover, Altair GraphQL Client also does not isolate the context of the renderer process. This affects versions of the...

Code injection

Altair is a GraphQL Client. Prior to version 5.2.5, the Altair GraphQL Client Desktop Application does not sanitize external URLs before passing them to the underlying system. Moreover, Altair GraphQL Client also does not isolate the context of the renderer process. This affects versions of the...

CVE-2023-43799

CVE-2023-43799 affects the Altair GraphQL Client Desktop Application (macOS, Windows, Linux). Prior to version 5.2.5, it does not sanitize external URLs before handing them to the underlying system and does not isolate the renderer context, enabling potential local impact with high severity per N...

CVE-2023-43799 The Altair Desktop Client Does Not Sanitize External URLs before passing them to the underlying system

Altair is a GraphQL Client. Prior to version 5.2.5, the Altair GraphQL Client Desktop Application does not sanitize external URLs before passing them to the underlying system. Moreover, Altair GraphQL Client also does not isolate the context of the renderer process. This affects versions of the...

Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to denial of service due to IBM WebSphere Application Server Liberty (CVE-2023-28867)

Summary IBM WebSphere Application Server Liberty is shipped with IBM Tivoli Netcool Impact as part of its server infrastructure. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. Vulnerability Details...

Cache poisoning in drupal/core

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled,...

CVE-2023-5256

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled,...

Privilege escalation

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled,...

CVE-2023-5256 Drupal core - Critical - Cache poisoning - SA-CORE-2023-006

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled,...

Pimcore Demo Allows GraphQL Introspection

Introspection is enabled on demo.pimcore.fun. The demo site has graphql as a feature for users, but allows users to run instropection queries, which presents a potential schema information disclosure vulnerability...

GHSA-P76J-H4M8-HX5C Pimcore Demo Allows GraphQL Introspection

Introspection is enabled on demo.pimcore.fun. The demo site has graphql as a feature for users, but allows users to run instropection queries, which presents a potential schema information disclosure vulnerability...

PT-2023-31900 · Pimcore · Pimcore

Name of the Vulnerable Software and Affected Versions: pimcore/demo versions prior to 10.3.0 Description: The issue concerns excessive data query operations in a large data table. Additionally, introspection is enabled on the demo site demo.pimcore.fun, which allows users to run introspection...

This Week in Spring - September 26th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! How are you? It's September 26th, 2023, and I am in sunny Singapore for SpringOne at VMWare Explore Singapore. If you're around, don't forget to say hi! It's gonna be a fun and busy week in Singapore, and then next week I'm o...

Information Disclosure

org.springframework.graphql:spring-graphql is vulnerable to Information Disclosure. The vulnerability is due to an issue where an application provides a DataLoaderOptions instance when registering batch loader functions through the DefaultBatchLoaderRegistry method leading to information disclosu...

Denial Of Service

graphql is vulnerable to Denial Of Service. The vulnerability is due to an insufficient check/comparison between node1 and node2 in the OverlappingFieldsCanBeMergedRule.ts file. This can result in a degradation of system performance when processing large queries...