Authorization Bypass in graphql-shield

Versions of graphql-shield prior to 6.0.6 are vulnerable to an Authorization Bypass. The rule caching option nocache relies on keys generated by cryptographically insecure functions, which may cause rules to be incorrectly cached. This allows attackers to access information they should not have...

GHSA-HX78-272P-MQQH Authorization Bypass in graphql-shield

Versions of graphql-shield prior to 6.0.6 are vulnerable to an Authorization Bypass. The rule caching option nocache relies on keys generated by cryptographically insecure functions, which may cause rules to be incorrectly cached. This allows attackers to access information they should not have...

@blackbaud-bobbyearl/skyux-builder (>=1.10.0 <=1.10.1), @blackbaud/skyux-builder (>=1.10.1 <=1.31.0) +72 more potentially affected by unknown CVE via lodash.mergewith (>=4.0.3 <=4.6.0)

lodash.mergewith NPM version =4.0.3, =1.10.0, =1.10.1, =5.0.0, =5.2.8, =5.0.0, =5.0.0, =5.1.1, =1.3.0, =1.0.0-alpha.1, =1.0.4, =1.1.3, =1.0.0, =1.1.11, =1.0.3, =1.0.0, =1.0.0-alpha.3 and more Source cves: unknown CVE Source advisory: OSV:GHSA-5947-M4FG-XHQG...

GHSA-9W87-4J72-GCV7 Insecure Default Configuration in graphql-code-generator

Versions of graphql-code-generator prior to 0.18.2 have an Insecure Default Configuration. The packages sets NODETLSREJECTUNAUTHORIZED to 0, disabling certificate verification for the entire project. This results in Insecure Communication for the process. Recommendation Upgrade to version 0.18.2 ...

@absa-subatomic/openshift-api (>=0.0.1 <=0.0.2), @atomist-seeds/empty-sdm (>=1.0.0-atomist-update-branch-master-20190328081334.20190328081445 <=1.0.0-master.20190328082132) +24 more potentially affected by unknown CVE via graphql-code-generator (>=0.10.7 <=0.17.0)

graphql-code-generator NPM version =0.10.7, =0.0.1, =1.0.0-atomist-update-branch-master-20190328081334.20190328081445, =0.3.7, =1.0.2, =1.1.0, =0.1.2, =0.1.0-master.20190213110409, =1.0.3-atomist-update-branch-master-1543218569607.20181126075034, =1.0.0-master.20190215080022, =1.0.0, =0.11.10,...

Insecure Default Configuration in graphql-code-generator

Versions of graphql-code-generator prior to 0.18.2 have an Insecure Default Configuration. The packages sets NODETLSREJECTUNAUTHORIZED to 0, disabling certificate verification for the entire project. This results in Insecure Communication for the process. Recommendation Upgrade to version 0.18.2 ...

GitLab: Able to leak private email of any user given his/her username via graphql

Summary Graphql query user is leaking private email of users query userusername:"" email username Steps to reproduce Step-by-step guide to reproduce the issue, including: Have a account with private email settings Use graphql query to access the private email query userusername:"" email username...

New Relic: Getting API access key Through Introspection query Graphql

The introspection query should only be allowed internally and should not be allowed to the general public. If we can fetch the entire back-end API documentation and calls available on a server then that can be very dangerous is many cases what if we could get our hands on some API calls only mean...

Shopify: Password protection can be removed for newly created development store

Details Per https://help.shopify.com/en/partners/dashboard/managing-stores/development-storesthe-development-store-password-page, it states that the password can only be removed once the store has been transferred or switch to a paid plan. You can remove the password page only after you transfer...

HackerOne: Pentester can obtain information about other pentesters who applied for the same test, but weren't accepted

Hi team, I don't know your policy about pentestersabout their visibility on the platform, But I couldn't find any other pentesters before. 1 For example: GraphQL has the h1pentester attribute that would explicitly point us to the pentester, but if we make a query, it doesn't reveal the pentester ...

HackerOne: Graphql: Sorting the reports by jira_status field resulted to different value

Summary: Sorting the reports by jirastatus yield to different result depicting the team is using jira even the user has no access. Description: A user with no access to jira information of any reports can somehow access the jira field using orderby through jirastatus Using the 2 graphql below we...

LY Corporation: Deleting someone else's profile image with a GraphQL query in programming education service (https://entry.line.me)

LINE entry is a service that provides programming education for children https://entry.line.me. LINE entry provides users with the ability to add profile images. It was possible to delete other people's profile images or thumbnails using a GraphQL query...

aiida-graphql (>=0.0.1 <=0.0.2), annhub-python (>=0.1.5 <=0.1.6) +31 more potentially affected by CVE-2020-7695 via uvicorn (>=0.10.0 <=0.11.5)

uvicorn PYPI version =0.10.0, =0.0.1, =0.1.5, =1.0.0, =22.70.0, =0.31.0, =0.0.14, =0.8.0, =2.0.0, =1.0.0a1, =0.0.2, =0.0.1a0, =0.0.1a1 and more Source cves: CVE-2020-7695 Source advisory: OSV:GHSA-F97H-2PFX-F59F...

Authorization Bypass

parse-server is vulnerable to authorization bypass. The vulnerability exists in the GraphQL viewer where an authenticated user can bypass the read security restrictions, and all objects linked through relation, placed on his User object...

CVE-2020-15126

In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object...

CVE-2020-15126

In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object...

CVE-2020-15126

In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object...

GraphQL: Security breach on Viewer query

Impact An authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object. Patches This vulnerability has been patched in Parse Server 4.3.0. Workarounds No References See commit...

GHSA-236H-RQV8-8Q73 GraphQL: Security breach on Viewer query

Impact An authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object. Patches This vulnerability has been patched in Parse Server 4.3.0. Workarounds No References See commit...

CVE-2020-15126

CVE-2020-15126 affects parse-server versions 3.5.0 through prior to 4.3.0. An authenticated user executing the viewer GraphQL query can bypass read security on his User object and bypass access to all objects linked via relations or pointers on that User object. The issue is an authorization bypa...