GraphQL Playground 跨站脚本漏洞

GraphQL Playground is a graphical, interactive, in-browser GraphQL IDE Integrated Development Environment based on GraphiQL from Prisma Labs, Germany. A cross-site scripting vulnerability exists in GraphQL Playground versions prior to 1.4.7, which stems from the software's lack of effective...

GraphQL Playground 跨站脚本漏洞

GraphQL Playground is a graphical, interactive, in-browser GraphQL IDE Integrated Development Environment based on GraphiQL from Prisma Labs, Germany. GraphQL Playground suffers from a cross-site scripting vulnerability that stems from the program's susceptibility to corrupt HTTP schema...

PT-2021-23212 · Unknown +1 · Graphql-Playground-React +2

Name of the Vulnerable Software and Affected Versions: graphiql versions prior to 1.4.7 graphql-playground-react versions prior to 1.7.28 Description: The vulnerability allows for compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names, exposing a...

PT-2021-22751 · Gitlab · Gitlab Ce/Ee +1

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 13.1 through 14.2.6 GitLab CE/EE versions 14.3 through 14.3.4 GitLab CE/EE versions 14.4 through 14.4.1 Description: The issue is related to an Improper Access Control vulnerability in the GraphQL API. This vulnerability...

What is Graphql ❓ Definition with Example

Anyone who is involved in app development will be familiar with GraphQL, a highly useful query language making tons of things right for app developers and security managers. When handled perfectly and diligently, GraphQL holds the power to empower the traditional process of data retrievals,...

SilverStripe GraphQL Server permission checker not inherited by query subclass.

Default SilverStripe GraphQL Server aka silverstripe/graphql 3.x through 3.4.1 permission checker not inherited by query subclass...

GHSA-R7RH-G777-G5GX SilverStripe GraphQL Server permission checker not inherited by query subclass.

Default SilverStripe GraphQL Server aka silverstripe/graphql 3.x through 3.4.1 permission checker not inherited by query subclass...

Shopify: Bypass a fix for report #708013

Summary: customerAccessTokenCreate mutation in the Storefront API does not correctly throttle login attempts. An issue in similar report https://hackerone.com/reports/708013 was already fixed, however, there is still a bypass. Steps To Reproduce: 1. Grab a Storefront API Token I got it from the B...

CVE-2021-28661

Default SilverStripe GraphQL Server aka silverstripe/graphql 3.x through 3.4.1 permission checker not inherited by query subclass...

CVE-2021-28661

Default SilverStripe GraphQL Server aka silverstripe/graphql 3.x through 3.4.1 permission checker not inherited by query subclass...

CVE-2021-28661

Default SilverStripe GraphQL Server aka silverstripe/graphql 3.x through 3.4.1 permission checker not inherited by query subclass...

Design/Logic Flaw

Default SilverStripe GraphQL Server aka silverstripe/graphql 3.x through 3.4.1 permission checker not inherited by query subclass...

CVE-2021-28661

Default SilverStripe GraphQL Server aka silverstripe/graphql 3.x through 3.4.1 permission checker not inherited by query subclass...

CVE-2021-28661

The CVE-2021-28661 entry concerns the SilverStripe GraphQL Server (silverstripe/graphql) versions 3.x through 3.4.1, where the permission checker is not inherited by a query subclass. This is identified as a permission-related issue in the GraphQL server component, with the underlying root cause ...

PT-2021-17888 · Silverstripe · Silverstripe Graphql Server

Name of the Vulnerable Software and Affected Versions: SilverStripe GraphQL Server versions 3.x through 3.4.1 Description: The issue concerns a permission checker not being inherited by a query subclass in the SilverStripe GraphQL Server. Recommendations: For versions 3.x through 3.4.1, update to...

Silverstripe SilverStripe 访问控制错误漏洞

Silverstripe SilverStripe is New Zealand SilverStripe Silverstripe company's set of open source programming framework and content management system CMS. The system has support for multiple languages , cross-platform and other features . An access control error vulnerability exists in SilverStripe...

Shopify: Staff can use BULK_OPERATIONS_FINISH webhook topic using Graphql without permissions all

I am reporting this because it looks like an authorization bug in GraphQL. A Staff member with no permissions on a Shopify Store may be able to create Webhooks with the webhookSubscriptionCreate mutation on BULKOPERATIONSFINISH webhook topic. POST...

Imperva An Eight-Time Magic Quadrant Leader for Web Application and API Protection

2021 has seen a lot of change. Billionaires now go where only governments and Red Bull gimmicks could go before. The 2020 Olympics didn’t take place in 2020. Tom Brady won his 7th Super Bowl for a completely new franchise those of you in the US get this reference. Similar change in application...

BatchQL - GraphQL Security Auditing Script With A Focus On Performing Batch GraphQL Queries And Mutations

BatchQL is a GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations. This script is not complex, and we welcome improvements. When exploring the problem space of GraphQL batching attacks, we found that there were a few blog posts on the internet, however n...

DRUPAL-CONTRIB-2021-029

This advisory addresses a similar issue to Drupal core - Moderately critical - Access bypass - SA-CORE-2021-008. The GraphQL module allows file uploads through its HTTP API. The module does not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be ab...