Cross-Site Request Forgery (CSRF)

silverstripe/graphql is vulnerable to cross-site request forgery CSRF. The code change that implements CSRF protection on GraphQL mutation queries does not adequately verify the authenticity of requests on GraphQL endpoints. A GraphQL query formed with a fragment portion before the mutation would...

CVE-2019-12437: Cross Site Request Forgery (CSRF) Protection Bypass in GraphQL

More info at https://www.silverstripe.org/download/security-releases/cve-2019-12437...

Information Disclosure

wp-graphql/wp-graphql is vulnerable to information disclosure. The attacker can get all the information about wordpress users such as email address, role and username just by querying current user's RootQuery...

PT-2019-19912 · WordPress · Wpgraphql

Name of the Vulnerable Software and Affected Versions: WPGraphQL version 0.2.3 Description: The issue allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation. Recommendations: For WPGraphQL...

Prototype Pollution

Overview Versions of @apollo/gateway prior to 0.6.2 are vulnerable to Prototype Pollution. The package uses deepMerge to merge objects, which may allow attackers to alter the Object prototype through queries with GraphQL aliases. Carefully constructed payloads can override properties of all objec...

WordPress WPGraphQL Access Control Error Vulnerability (CNVD-2019-27673)

WordPress is a blogging platform developed by the WordPress Foundation using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WPGraphQL is a plugin that provides an extensible GraphQL architecture and API for WordPress sites. An access control error vulnerabili...

Pwning WordPress GraphQL

Third-party plugins are often the security Achilles heel of Content Management Systems CMS. It seems like not a month goes by without one security researcher or another uncovers a vulnerability in a plugin, undermining the security of the whole platform. Plugins are used to add functionality that...

Insecure Default Configuration

graphql-code-generator contains an insecure default configuration. SSL certificate verification was disabled by default, allowing man-in-the-middle MitM attacks...

Insecure Default Configuration

Overview Versions of graphql-code-generator prior to 0.18.2 have an Insecure Default Configuration. The packages sets NODETLSREJECTUNAUTHORIZED to 0, disabling certificate verification for the entire project. This results in Insecure Communication for the process. Recommendation Upgrade to versio...

Shopify: STAFF member with NO Explicit permissions can view `ActivityFeed` via GraphQL

Hi, This is similar to 95589. I noticed that ActivityFeeds are now being fetched by GraphQL call on Shopify. But from my testing, I noticed that STAFF member with NO EXPLICIT permissions can fetch store's activity feed by calling the vulnerable endpoint. STEPS 1.STAFF member is not assigned any...

HackerOne: Invited team member can disclosure slack channels

Summary: Hello, this report is similar to 505493 also still waiting for response, but accent is totally on another thing. I think it is important and should be fixed, and so i create new report. Invited team member without any permission can disclosure private channel names of slack integration. ...

CVE-2019-1000011

API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability...

CVE-2019-1000011

API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability...

Improper access control

API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability...

CVE-2019-1000011

CVE-2019-1000011 affects API Platform core (PHP) 2.2.0–2.3.5, due to an Incorrect Access Control flaw in GraphQL delete mutations. The vulnerability allows a user who is authorized to delete a resource to delete any resource. The issue’s impact and existence are documented in multiple sources (in...

CVE-2019-1000011

API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability...

Improper Access Control

API Platform contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized...

HackerOne: Confidential data of users and limited metadata of programs and reports accessible via GraphQL

Summary: The GraphQL endpoint doesn't have access controls implemented properly. Description: Any attacker can get personally identifiable information of users of Hackerone such as email address, backup hash codes, facebookuserid, accountrecoveryphonenumberverifiedat, totpenabled, etc. These are...

Shopify: Bypass GraphQL rate limit by abusing negative cost queries

Hi security team, While looking into the graphql app I noticed an interesting implementation where each app has a bucket of query cost they are allowed to used in a given time with a certain refresh rate associated with it. The details can be found at...

CVE-2019-1000011: Access control bypass in GraphQL mutations

Q A Bug fix? yes New feature? no BC breaks? no Deprecations? no Tests pass? yes Fixed tickets 2364 License MIT Doc PR This prevents passing IRIs belonging to different resource classes, which would bypass access control in some instances see 2364...