CVE-2020-13317

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8, and 13.3.4. An insufficient check in the GraphQL api allowed a maintainer to delete a repository...

CVE-2020-13317

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8, and 13.3.4. An insufficient check in the GraphQL api allowed a maintainer to delete a repository...

Design/Logic Flaw

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8, and 13.3.4. An insufficient check in the GraphQL api allowed a maintainer to delete a repository...

UBUNTU-CVE-2020-13317

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8, and 13.3.4. An insufficient check in the GraphQL api allowed a maintainer to delete a repository...

CVE-2020-13317

GitLab CVE-2020-13317 impacts GitLab versions before 13.1.10, 13.2.8, and 13.3.4 due to an insufficient check in the GraphQL API that allowed a maintainer to delete a repository. The issue is rooted in the GraphQL authorization/validation logic, enabling unintended repository deletion. Fixed vers...

CVE-2020-13317

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8, and 13.3.4. An insufficient check in the GraphQL api allowed a maintainer to delete a repository...

CVE-2020-13317

Removed by vendor...

Shopify: Undocumented `fileCopy` GraphQL API

Impact A malicious staff account with no permissions can copy other store file assets to current store, which they have no access to. Details So the story as follow A malicious staff member jackmccracken on storeA.myshopify.com wants to upload a file on the store but could not, due to permissions...

PT-2020-13458 · Gitlab · Gitlab

Name of the Vulnerable Software and Affected Versions: GitLab versions prior to 13.1.10 GitLab versions prior to 13.2.8 GitLab versions prior to 13.3.4 Description: A vulnerability was discovered that involves an insufficient check in the GraphQL API. This issue allows a maintainer to delete a...

HackerOne: Hacker can bypass minimum bounty amount restrictions in "invitation preferences" setting via UpdateInvitationPreferencesMutation GraphQL operation

Summary: Hacker can bypass minimum bounty amount restrictions in invitation preferences due to trusted client-side input to UpdateInvitationPreferencesMutation GraphQL operation Description: The new "Bounty Preferences" feature at https://hackerone.com/settings/preferences allows the hacker to se...

Shopify: A staff member with no permissions can edit Store Customer Email

Impact A staff member with no permissions can edit a store Customer email which they have no access to. This is the email that the store customers will see when emailing them. Details emailSenderConfigurationUpdate is an undocumented GraphQL API that will allows a malicious staff member in a stor...

HackerOne: Team object in GraphQL disclosed private_comment

Summary: Hi Team, Some privateI think part of GraphQL reveals to us Steps To Reproduce Without authorization 1. https://hackerone.com/graphql POST: "query":"query nodeid: \"gid://hackerone/SurveyRatingItem/█████\" ... on...

@anacoelhovicente/primecore (=0.3.4-beta.1-webhook), @axonish/core (>=0.2.0 <=0.3.0) +29 more potentially affected by unknown CVE via type-graphql (>=0.12.3 <=0.17.5)

type-graphql NPM version =0.12.3, =0.2.0, =0.0.2, =1.0.0, =1.0.0, =0.0.5, =0.0.1, =0.0.0-4d6c2e0, =0.1.0, =0.3.0-alpha.1, =0.0.1, =5.2.0, =0.0.1, =0.0.2 and more Source cves: unknown CVE Source advisory: OSV:GHSA-XF64-2F9P-6PQQ...

Information Exposure in type-graphql

Versions of type-graphql prior to 0.17.6 are vulnerable to Information Exposure. The package leaks the resolver source code in an error message. It is possible to force this error when no subscription topics are provided in the request. Recommendation Upgrade to version 0.17.6 or later...

GHSA-XF64-2F9P-6PQQ Information Exposure in type-graphql

Versions of type-graphql prior to 0.17.6 are vulnerable to Information Exposure. The package leaks the resolver source code in an error message. It is possible to force this error when no subscription topics are provided in the request. Recommendation Upgrade to version 0.17.6 or later...

@atto-byte/yoga (>=0.6.0 <=0.6.6), @britishcouncil/grizzly (>=0.1.0 <=0.3.3) +22 more potentially affected by unknown CVE via graphql-shield (>=3.2.5 <=5.7.3)

graphql-shield NPM version =3.2.5, =0.6.0, =0.1.0, =1.0.2-alpha.11, =0.0.1, =0.1.0, =0.1.0, =0.1.0, =0.0.6, =0.0.0, =0.0.1, =1.0.0, =0.0.5, =0.0.1, =0.0.2 - ustart =1.0.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-HX78-272P-MQQH...

Authorization Bypass in graphql-shield

Versions of graphql-shield prior to 6.0.6 are vulnerable to an Authorization Bypass. The rule caching option nocache relies on keys generated by cryptographically insecure functions, which may cause rules to be incorrectly cached. This allows attackers to access information they should not have...

GHSA-HX78-272P-MQQH Authorization Bypass in graphql-shield

Versions of graphql-shield prior to 6.0.6 are vulnerable to an Authorization Bypass. The rule caching option nocache relies on keys generated by cryptographically insecure functions, which may cause rules to be incorrectly cached. This allows attackers to access information they should not have...

@blackbaud-bobbyearl/skyux-builder (>=1.10.0 <=1.10.1), @blackbaud/skyux-builder (>=1.10.1 <=1.31.0) +72 more potentially affected by unknown CVE via lodash.mergewith (>=4.0.3 <=4.6.0)

lodash.mergewith NPM version =4.0.3, =1.10.0, =1.10.1, =5.0.0, =5.2.8, =5.0.0, =5.0.0, =5.1.1, =1.3.0, =1.0.0-alpha.1, =1.0.4, =1.1.3, =1.0.0, =1.1.11, =1.0.3, =1.0.0, =1.0.0-alpha.3 and more Source cves: unknown CVE Source advisory: OSV:GHSA-5947-M4FG-XHQG...

@absa-subatomic/openshift-api (>=0.0.1 <=0.0.2), @atomist-seeds/empty-sdm (>=1.0.0-atomist-update-branch-master-20190328081334.20190328081445 <=1.0.0-master.20190328082132) +24 more potentially affected by unknown CVE via graphql-code-generator (>=0.10.7 <=0.17.0)

graphql-code-generator NPM version =0.10.7, =0.0.1, =1.0.0-atomist-update-branch-master-20190328081334.20190328081445, =0.3.7, =1.0.2, =1.1.0, =0.1.2, =0.1.0-master.20190213110409, =1.0.3-atomist-update-branch-master-1543218569607.20181126075034, =1.0.0-master.20190215080022, =1.0.0, =0.11.10,...