Enjin: Unauthenticated GraphQL access by prepending __schema to private operations

A security vulnerability was identified in the GraphQL schema of the Enjin Platform. The vulnerability allowed unauthorized access to the GraphQL schema by prepending "schema" to private operations. The vulnerability was discovered and reported by a security researcher. The specific location of t...

Enjin: Race Condition on Create API Function

Race Condition on Create API Function A race condition was discovered that allowed users to submit multiple requests within rapid succession to create additional keys beyond the defined limit on the Enjin Platform Cloud service...

Enjin: Lack of Tenant Scoping Enables Limited Cross-Tenant Data Querying and Mutation

A vulnerability was demonstrated on the Enjin Platform that allowed for limited cross-tenant data querying and mutation, enabling querying or mutating of someone else's data in certain cases. A full assessment found this had not been exploited outside of the report...

Enjin: Weak Email Verification: Newly Registered Users Can Bypass Email Verification Step and Log In

Newly registered users were able to bypass email verification and log in. This vulnerability has since been addressed...

Enjin: Revocation API Token by Bypassing The XSRF Token

The revocation API token was bypassed by bypassing the XSRF token. This allowed the demonstration that the Enjin Platform's GraphQL interface lacked appropriate CSRF protection when utilizing a session token...