Information Disclosure

gitlab is vulnerable to Information Disclosure. An attacker could exploit this vulnerability by sending a specially crafted GraphQL query to the GitLab server. This query would allow the attacker to enumerate the usernames of all users on the server, even if they do not have an account...

Improper Authorization

gitlab is vulnerable to Improper Authorization. The vulnerability exists due to improper access to some particular fields through the GraphQL API which allows an attacker to perform unauthorized actions...

Denial Of Service (DoS)

gitlab is vulnerable to Denial Of Service DoS. The vulnerability exists due to the lack of length validation of the library, which allows an attacker to create a large Issue description via GraphQL, leading to an application crash...

Information Disclosure

gitlab is vulnerable to Information Disclosure. This vulnerability occurs due to a flaw in the way that GitLab handles GraphQL queries. An attacker can exploit this vulnerability to access project details that they are not authorized to see...

Cross-Site Request Forgery (CSRF)

gitlab is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability exists in the GraphQL API, allowing an attacker to call mutations as the victim...

Authorization Bypass

gitlab is vulnerable to Authorization Bypasses. This vulnerability occurs due to a flaw in the way that GitLab handles GraphQL mutations. An attacker can exploit this vulnerability to perform Git actions even if they are not authorized to do so...

Security Bulletin: IBM PowerVM Novalink is vulnerable because GraphQL Java is vulnerable to a denial of service, caused by a stack-based buffer overflow. (CVE-2023-28867)

Summary IBM PowerVM Novalink is vulnerable because GraphQL Java is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially crafted GraphQL query, a remote attacker could exploit this vulnerability to cause a stack consumption. Vulnerability Details...

A Data Exfiltration Attack Scenario: The Porsche Experience

As part of Checkmarx's mission to help organizations develop and deploy secure software, the Security Research team started looking at the security posture of major car manufacturers. Porsche has a well-established Vulnerability Reporting Policy Disclosure Policy1, it was considered in scope for...

Improper Permission Checks

directus is vulnerable to Improper Permission Checks. The vulnerability exists because the permission filters such as usercreated IS $CURRENTUSER are not properly checked in the library when using a GraphQL subscription, allowing an attacker to get a subscription event for which they do not have...

GHSA-GGGM-66RH-PP98 Incorrect Permission Checking for GraphQL Subscriptions

Summary CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Access to information you should not have access to when the permissions rely on $CURRENTUSER for filtering. Details The permission filters i.e. usercreated IS $CURRENTUSER are not properly checked when using GraphQL...

Incorrect Permission Checking for GraphQL Subscriptions

Summary CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Access to information you should not have access to when the permissions rely on $CURRENTUSER for filtering. Details The permission filters i.e. usercreated IS $CURRENTUSER are not properly checked when using GraphQL...

CVE-2023-38503

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters i.e. usercreated IS $CURRENTUSER are not properly checked when using GraphQL subscription resulting in unauthorized users getting event o...

CVE-2023-38503

Directus (real-time API/dashboard for SQL data) has an authentication/authorization flaw in GraphQL subscriptions. From version 10.3.0 up to, but not including, 10.5.0, permission filters like user_created IS $CURRENT_USER are not properly enforced for subscription events, allowing unauthorized u...

CVE-2023-38503 Directus has Incorrect Permission Checking for GraphQL Subscriptions

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters i.e. usercreated IS $CURRENTUSER are not properly checked when using GraphQL subscription resulting in unauthorized users getting event o...

CVE-2023-38503 Directus has Incorrect Permission Checking for GraphQL Subscriptions

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters i.e. usercreated IS $CURRENTUSER are not properly checked when using GraphQL subscription resulting in unauthorized users getting event o...

CVE-2023-38503 Directus has Incorrect Permission Checking for GraphQL Subscriptions

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters i.e. usercreated IS $CURRENTUSER are not properly checked when using GraphQL subscription resulting in unauthorized users getting event o...

Directus 信息泄露漏洞

Directus is a real-time Api and application dashboard. It is used to manage Sql database content. An information disclosure vulnerability exists in Directus versions prior to 10.3.0 through 10.5.0, which stems from improper permission checking of GraphQL subscriptions, resulting in an information...

PT-2023-26483 · Directus · Directus

Name of the Vulnerable Software and Affected Versions: Directus versions 10.3.0 through 10.4.x Description: The issue concerns the improper checking of permission filters when using GraphQL subscriptions, resulting in unauthorized users receiving events they should not have access to. This affect...

Denial Of Service (DoS)

gitlab is vulnerable to Denial Of Service DoS. The vulnerability exists due to the lack of length validation of the library, which allows an attacker to create large issue descriptions via GraphQL, leading to an application crash...

Security Bulletin: CVE-2023-28867 may affect IBM WebSphere Application Server Liberty shipped with IBM CICS TX Standard

Summary Summary: CVE-2023-28867 may affect IBM WebSphere Application Server Liberty shipped with IBM CICS TX Standard. IBM CICS TX Standard has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2023-28867 DESCRIPTION: GraphQL Java is vulnerable to a denial of service, caused by a...