Cross-site Scripting (XSS)

cockpit-hq/cockpit is vulnerable to Cross-site Scripting XSS. The vulnerability exists in Rest/GraphQL viewer due to lack of escaping script tags which allows an attacker to inject and execute arbitrary javascript...

CVE-2023-38976

An issue in weaviate v.1.20.0 allows a remote attacker to cause a denial of service via the handleUnbatchedGraphQLRequest function...

Weaviate 安全漏洞

Weaviate is an open source vector database from Weaviate Open Source. A security vulnerability exists in Weaviate version v.1.20.0, which stems from a vulnerability that allows attackers to cause a denial of service DoS via the handleUnbatchedGraphQLRequest function...

Security Bulletin: GraphQL Java component is vulnerable to CVE-2023-28867 is used by IBM Maximo Application Suite

Summary IBM Maximo Application Suite uses GraphQL Java package which is vulnerable to CVE-2023-28867. Vulnerability Details CVEID:CVE-2023-28867 DESCRIPTION: GraphQL Java is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially crafted GraphQL query, a...

Improper Access Control

@keystone-6/core is vulnerable to Improper Access Control. The vulnerability exists when the ui.isAccessAllowed parameter in the KeystoneMeta function of adminMetaSchema.ts is set as undefined, which allows an attacker to access the admin meta GraphQL query if the session strategy is not defined...

GHSA-9CVC-V7WM-992C When `ui.isAccessAllowed` is `undefined`, the `adminMeta` GraphQL query is publicly accessible

Summary When ui.isAccessAllowed is undefined, the adminMeta GraphQL query is publicly accessible, that is to say, no session is required for the query. This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible if a session strategy is...

When `ui.isAccessAllowed` is `undefined`, the `adminMeta` GraphQL query is publicly accessible

Summary When ui.isAccessAllowed is undefined, the adminMeta GraphQL query is publicly accessible, that is to say, no session is required for the query. This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible if a session strategy is...

CVE-2023-40027

Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When ui.isAccessAllowed is set as undefined, the adminMeta GraphQL query is publicly accessible no session required. This is different to the behaviour of the default AdminUI middleware, which by default will only...

Default configuration

Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When ui.isAccessAllowed is set as undefined, the adminMeta GraphQL query is publicly accessible no session required. This is different to the behaviour of the default AdminUI middleware, which by default will only...

CVE-2023-40027 Conditionally missing authorization in @keystone-6/core

Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When ui.isAccessAllowed is set as undefined, the adminMeta GraphQL query is publicly accessible no session required. This is different to the behaviour of the default AdminUI middleware, which by default will only...

CVE-2023-40027 Conditionally missing authorization in @keystone-6/core

Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When ui.isAccessAllowed is set as undefined, the adminMeta GraphQL query is publicly accessible no session required. This is different to the behaviour of the default AdminUI middleware, which by default will only...

CVE-2023-40027

Keystone (Node.js) vulnerability CVE-2023-40027: When ui.isAccessAllowed is undefined, the adminMeta GraphQL query is publicly accessible without a session, potentially exposing admin metadata. Affected users are those relying on a session strategy to restrict access; developers using @keystone-6...

CVE-2023-40027 Conditionally missing authorization in @keystone-6/core

Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When ui.isAccessAllowed is set as undefined, the adminMeta GraphQL query is publicly accessible no session required. This is different to the behaviour of the default AdminUI middleware, which by default will only...

Keystone 安全漏洞

Keystone is a powerful OpenStack open source CMS designed to help you build and scale faster than any other Cms or application framework. Keystone has a security vulnerability that stems from adminMeta GraphQL queries being publicly accessible when ui.isAccessAllowed is set to undefined...

Improper Authorization

gitlab is vulnerable to Improper Authorization. This vulnerability allows a malicious unauthorized GitLab user to attach a malicious runner to any project through GraphQL endpoints...

Information Disclosure

gitlab is vulnerable to Information Disclosure. An attacker could exploit this vulnerability by sending a specially crafted GraphQL query to the GitLab server. This query would allow the attacker to enumerate the usernames of all users on the server, even if they do not have an account...

Improper Authorization

gitlab is vulnerable to Improper Authorization. The vulnerability exists due to improper access to some particular fields through the GraphQL API which allows an attacker to perform unauthorized actions...

Denial Of Service (DoS)

gitlab is vulnerable to Denial Of Service DoS. The vulnerability exists due to the lack of length validation of the library, which allows an attacker to create a large Issue description via GraphQL, leading to an application crash...

Information Disclosure

gitlab is vulnerable to Information Disclosure. This vulnerability occurs due to a flaw in the way that GitLab handles GraphQL queries. An attacker can exploit this vulnerability to access project details that they are not authorized to see...

Cross-Site Request Forgery (CSRF)

gitlab is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability exists in the GraphQL API, allowing an attacker to call mutations as the victim...