CVE-2019-1020015

graphql-engine aka Hasura GraphQL Engine before 1.0.0-beta.3 mishandles the audience check while verifying JWT...

Hardcoded credentials

graphql-engine aka Hasura GraphQL Engine before 1.0.0-beta.3 mishandles the audience check while verifying JWT...

CVE-2019-1020015

graphql-engine aka Hasura GraphQL Engine before 1.0.0-beta.3 mishandles the audience check while verifying JWT...

CVE-2019-1020015

CVE-2019-1020015 affects graphql-engine (Hasura GraphQL Engine) prior to 1.0.0-beta.3, which mishandles the audience check during JWT verification. The evidence in connected documents confirms the vendor/product and the root cause without additional exploit details. Remediation is to upgrade to 1...

HackerOne: Private information exposed through GraphQL filters

Summary: secure schema can be circumvented for graphql where filters by using or operator. Description: When passing a where clause to a collection in the graphql endpoint, like teamswhere: state: eq: softlaunched it queries the state through the secure schema - so it will not return any teams...

CVE-2019-1010304

Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated...

CVE-2019-1010304

Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated...

Design/Logic Flaw

Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated...

CVE-2019-1010304

Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated...

CVE-2019-1010304

CVE-2019-1010304 affects Saleor’s GraphQL API (ProductVariant in the GraphQL schema) where Incorrect Access Control allowed an unauthenticated user to access data via the publicly exposed /graphql/ endpoint. The issue enables exposure of potentially admin-restricted shop revenue data. Impact is d...

FreeBSD : Gitlab -- Multiple Vulnerabilities (4ea507d1-9da8-11e9-a759-001b217b3468)

Gitlab reports : Ability to Write a Note to a Private Snippet Recent Pipeline Information Disclosed to Unauthorised Users Resource Exhaustion Attack Error Caused by Encoded Characters in Comments Authorization Issues in GraphQL Number of Merge Requests was Accessible Enabling One of the Service...

Gitlab -- Multiple Vulnerabilities

Gitlab reports: Ability to Write a Note to a Private Snippet Recent Pipeline Information Disclosed to Unauthorised Users Resource Exhaustion Attack Error Caused by Encoded Characters in Comments Authorization Issues in GraphQL Number of Merge Requests was Accessible Enabling One of the Service...

GitLab: Private System Note Disclosure using GraphQL

Summary When you use the REST API or UI to view an issue's discussion/notes, private system note is hidden to member's only. Such as moving an issue to a private project, making issue as duplicate of a confidential issue, someone mentioned this issue in a confidential issue. They are properly...

Shopify: any staff members have the ability to comment in [discounts] he/she can disable comment section it to other staff even the admin of the store

Hi, I found this cool behavior by mistake when I was testing for some GraphQL, any user have ability to comment in discounts code at discounts section can turn off comments to the other staff members include the admin/manager of the store. this happens because when the GraphQL used to create a...

GitLab: GraphQL query "namespace" leaks data

NOTE! Thanks for submitting a report! Please replace all the parenthesized sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary Using the "namespace"...

Prototype Pollution in @apollo/gateway

Versions of @apollo/gateway prior to 0.6.2 are vulnerable to Prototype Pollution. The package uses deepMerge to merge objects, which may allow attackers to alter the Object prototype through queries with GraphQL aliases. Carefully constructed payloads can override properties of all objects in the...

GHSA-74CR-77XC-8G6R Prototype Pollution in @apollo/gateway

Versions of @apollo/gateway prior to 0.6.2 are vulnerable to Prototype Pollution. The package uses deepMerge to merge objects, which may allow attackers to alter the Object prototype through queries with GraphQL aliases. Carefully constructed payloads can override properties of all objects in the...

HackerOne: Disabled account can still use GraphQL endpoint

Summary Hi team & @jobert, I am not sure if it is by design. After disabling the account, the user will be forced to Enable his account after logging in. However, many of actions are implemented using GraphQL endpoint which bypasses account reactivation process before use. Since re-enabling the...

Cross-Site Request Forgery (CSRF)

silverstripe/graphql is vulnerable to cross-site request forgery CSRF. The code change that implements CSRF protection on GraphQL mutation queries does not adequately verify the authenticity of requests on GraphQL endpoints. A GraphQL query formed with a fragment portion before the mutation would...

CVE-2019-12437: Cross Site Request Forgery (CSRF) Protection Bypass in GraphQL

More info at https://www.silverstripe.org/download/security-releases/cve-2019-12437...