GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2021-029

This advisory addresses a similar issue to Drupal core - Moderately critical - Access bypass - SA-CORE-2021-008. The GraphQL module allows file uploads through its HTTP API. The module does not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be ab...

Graphw00F - GraphQL fingerprinting tool for GQL endpoints

Credits to Nick Aleks for the logo! How does it work? graphw00f inspired by wafw00f is the GraphQL fingerprinting tool for GQL endpoints, it sends a mix of benign and malformed queries to determine the GraphQL engine running behind the scenes. graphw00f will provide insights into what security...

CVE-2021-36044

Magento Commerce versions 2.4.2 and earlier, 2.4.2-p1 and earlier and 2.3.7 and earlier are affected by an improper input validation vulnerability. An unauthenticated attacker could abuse this vulnerability to cause a server-side denial-of-service using a GraphQL field...

CVE-2021-36044

Magento Commerce versions 2.4.2 and earlier, 2.4.2-p1 and earlier and 2.3.7 and earlier are affected by an improper input validation vulnerability. An unauthenticated attacker could abuse this vulnerability to cause a server-side denial-of-service using a GraphQL field...

CVE-2021-36012

Magento Commerce versions 2.4.2 and earlier, 2.4.2-p1 and earlier and 2.3.7 and earlier are affected by a business logic error in the placeOrder graphql mutation. An authenticated attacker can leverage this vulnerability to altar the price of an item...

CVE-2021-36012

Magento Commerce versions 2.4.2 and earlier, 2.4.2-p1 and earlier and 2.3.7 and earlier are affected by a business logic error in the placeOrder graphql mutation. An authenticated attacker can leverage this vulnerability to altar the price of an item...

CVE-2021-36044

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability that allows an unauthenticated attacker to cause a server-side denial-of-service via a GraphQL field. The issue is rooted in input validation an...

CVE-2021-36044 Magento Commerce GraphQL Improper Input Validation Could Lead To Denial Of Service

Magento Commerce versions 2.4.2 and earlier, 2.4.2-p1 and earlier and 2.3.7 and earlier are affected by an improper input validation vulnerability. An unauthenticated attacker could abuse this vulnerability to cause a server-side denial-of-service using a GraphQL field...

CVE-2021-36012

CVE-2021-36012 describes a business-logic flaw in Magento Commerce’s placeOrder GraphQL mutation where an authenticated attacker can alter the price of an item, affecting Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier). The vulnerability stems from a...

CVE-2021-36012 Magento Commerce Gift Card Business Logic Error

Magento Commerce versions 2.4.2 and earlier, 2.4.2-p1 and earlier and 2.3.7 and earlier are affected by a business logic error in the placeOrder graphql mutation. An authenticated attacker can leverage this vulnerability to altar the price of an item...

GitLab: Improper access control for users with expired password, giving the user full access through API and Git

Summary Users with an "expired password" can still access the full API with tokens. This includes the REST API, GraphQL API and Git HTTP access. The same issue was mitigated in 13.12.2 as "Insufficient Expired Password Validation". That patch blocked users with expired passwords from accessing th...

GraphQL Interface Detected

GraphQL is an open-source query and manipulation language for APIs and a server-side runtime built to handle these queries on the application dataset. Some web applications provide a friendly user interface to help developers building GraphQL queries and get the results. The scanner detected the...

GraphQL Field Suggestions Detected

GraphQL is an open-source query and manipulation language for APIs and a server-side runtime built to handle these queries on the application dataset. By default, GraphQL has a feature which suggests field names to be used in the queries or mutations from the wrong ones provided in the received...

HackerOne: Information disclosure - Feedback is accessible on Public profile even after 'disallowed' at https://hackerone.com/settings/feedback

Summary: Hi team, I noticed one possible information disclosure scenario related to My Feedback managed at https://hackerone.com/settings/feedback Description: In current scenario even after uncheck the option "Show this blurb on my profile" I can access the feedback using one one requestPOST...

GraphQL Introspection Enabled

GraphQL is an open-source query and manipulation language for APIs and a server-side runtime built to handle these queries on the application dataset. GraphQL introspection allows to query all information related to the supported schema and queries on a GraphQL server instance. By leveraging this...

Coursera Flunks API Test in Researchers’ Security Exam

Researchers have discovered multiple application programming interface API issues in Coursera, the online learning platform used by 82 million learners and hundreds of Fortune 500 companies. On Thursday, the Checkmarx Security Research Team published a report on its findings, which included user...

CVE-2021-22224

A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim...

CVE-2021-22224

A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim...

CVE-2021-22224

A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim...

Cross site request forgery (csrf)

A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim...