Shopify: GraphQL Introspection Enabled on Shopify API Endpoint (Intended Behavior)

Summary: Hi team ! i've found a misconfiguration in your graphql Api on the endpoint in which an attacker is able to run a graphql interospection query to fetch schemas , types , fields , available query operations , after running interospection query on the graphql api endpoint , an attacker is...

PT-2024-10156 · Gitlab · Gitlab Ce/Ee

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 11.0 through 17.4.6 GitLab CE/EE versions 17.5 through 17.5.4 GitLab CE/EE versions 17.6 through 17.6.2 Description: The issue is related to the GraphQL Mutation Handler component of the GitLab platform, which can lead t...

Malicious code in grapql-yoga (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 86b2818aa6d6a1a84cac4d9d34681b77244b961c6531a273fe5273b4284abc62 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2024-10976 Malicious code in grapql-yoga (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 86b2818aa6d6a1a84cac4d9d34681b77244b961c6531a273fe5273b4284abc62 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2024-9665

Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Zimbra. User interaction is required to exploit this vulnerability in that the target must open a malicious ema...

CVE-2024-9665

Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Zimbra. User interaction is required to exploit this vulnerability in that the target must open a malicious ema...

CVE-2024-9665 Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability

Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Zimbra. User interaction is required to exploit this vulnerability in that the target must open a malicious ema...

CVE-2024-9665 Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability

Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Zimbra. User interaction is required to exploit this vulnerability in that the target must open a malicious ema...

CVE-2024-9665

CVE-2024-9665 is a Zimbra GraphQL CSRF Information Disclosure vulnerability. The flaw resides in the GraphQL endpoint of Zimbra Collaboration (GraphQL implementation) and stems from insufficient CSRF protections, allowing an attacker to disclose sensitive information within the context of a victi...

CVE-2024-37155

OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. Prior to version 6.1.9, the regex validation used to prevent Introspection queries can be bypassed by removing the extra whitespace, carriage return, and line feed...

CVE-2024-37155 OpenCTI May Bypass Introspection Restriction

OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. Prior to version 6.1.9, the regex validation used to prevent Introspection queries can be bypassed by removing the extra whitespace, carriage return, and line feed...

CVE-2024-37155 OpenCTI May Bypass Introspection Restriction

OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. Prior to version 6.1.9, the regex validation used to prevent Introspection queries can be bypassed by removing the extra whitespace, carriage return, and line feed...

MAL-2024-10679 Malicious code in graphql-yga (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f47f947ce34d135841426d54dbd431fafee589316d101ac561f402d69ff75316 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Denial of service through batched queries in GraphQL

This report is not public...

Denial Of Service (DoS)

Mattermost is vulnerable to Denial of Service DoS. The vulnerability is due to the failure to prevent detailed error messages from being displayed in Playbooks, which allows an attacker to generate a large GraphQL response. This can lead to application crashes when a specially crafted request is...

CVE-2024-6861

A disclosure of sensitive information flaw was found in foreman via the GraphQL API. If the introspection feature is enabled, it is possible for attackers to retrieve sensitive admin authentication keys which could result in a compromise of the entire product's API...

CVE-2024-6861 Foreman: foreman: oauth secret exposure via unauthenticated access to the graphql api

A disclosure of sensitive information flaw was found in foreman via the GraphQL API. If the introspection feature is enabled, it is possible for attackers to retrieve sensitive admin authentication keys which could result in a compromise of the entire product's API...

CVE-2024-6861 Foreman: foreman: oauth secret exposure via unauthenticated access to the graphql api

A disclosure of sensitive information flaw was found in foreman via the GraphQL API. If the introspection feature is enabled, it is possible for attackers to retrieve sensitive admin authentication keys which could result in a compromise of the entire product's API...

CVE-2024-6861

CVE-2024-6861 affects Foreman via GraphQL: if introspection is enabled, an attacker can retrieve sensitive admin authentication keys, risking full API compromise. Affected context: Foreman GraphQL API; root cause is exposure of admin keys through introspection. Mitigation repeatedly recommended a...

Information Disclosure

github.com/graph-gophers/graphql-go is vulnerable to Information Disclosure. The vulnerability is due to improper access controls on the GraphQL introspection query, allowing unauthorized users to access a complete list of available queries and mutations...