Enjin: Unauthenticated GraphQL access by prepending __schema to private operations

A security vulnerability was identified in the GraphQL schema of the Enjin Platform. The vulnerability allowed unauthorized access to the GraphQL schema by prepending "schema" to private operations. The vulnerability was discovered and reported by a security researcher. The specific location of t...

EUVD-2025-34700

Malicious code in enjin-docs npm...

Malicious code in enjin-docs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 24afa8ea540d65aaac41e9b8290ea35057d333217eca4a50410143aa9e993bd4 The OpenSSF Package Analysis project identified 'enjin-docs' @ 15.2.0 npm as malicious. It is considered malicious because: - The package...

MAL-2025-48431 Malicious code in enjin-docs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 24afa8ea540d65aaac41e9b8290ea35057d333217eca4a50410143aa9e993bd4 The OpenSSF Package Analysis project identified 'enjin-docs' @ 15.2.0 npm as malicious. It is considered malicious because: - The package...

Enjin: Race Condition on Create API Function

Race Condition on Create API Function A race condition was discovered that allowed users to submit multiple requests within rapid succession to create additional keys beyond the defined limit on the Enjin Platform Cloud service...

Enjin: Lack of Tenant Scoping Enables Limited Cross-Tenant Data Querying and Mutation

A vulnerability was demonstrated on the Enjin Platform that allowed for limited cross-tenant data querying and mutation, enabling querying or mutating of someone else's data in certain cases. A full assessment found this had not been exploited outside of the report...

Enjin: Weak Email Verification: Newly Registered Users Can Bypass Email Verification Step and Log In

Newly registered users were able to bypass email verification and log in. This vulnerability has since been addressed...

Enjin: Revocation API Token by Bypassing The XSRF Token

The revocation API token was bypassed by bypassing the XSRF token. This allowed the demonstration that the Enjin Platform's GraphQL interface lacked appropriate CSRF protection when utilizing a session token...

Enjin: Host header injection leads to account takeover

Vulnerability description not provided...

Enjin: CSRF Bypassed on Logout Endpoint

@ersalil was able to demonstrate that the logout functionality had no CSRF protection which meant that they were able to log another user out by simply having that user submit a POST request to the /logout endpoint...

Enjin: Reset password policy isn't consistent with registration / change password policy.

The security researcher identified that the password policy on the reset password page wasn't consistent with the policy set forth on the registration and change password pages. The minimum characters, on the reset password page, was only for 6 characters whereas the other pages require a minimum...

Enjin: Authentication token and CSRF token bypass

@whiteshadow201 was able to illustrate a vulnerability, due to an overzealous set of CORS rules, where they could execute certain functions on behalf of another user. This was made possible due to a separate vulnerability, a CSRF bypass, that was possible by using the GET method to query the...