Prototype Pollution

Overview Versions of @apollo/gateway prior to 0.6.2 are vulnerable to Prototype Pollution. The package uses deepMerge to merge objects, which may allow attackers to alter the Object prototype through queries with GraphQL aliases. Carefully constructed payloads can override properties of all objec...

WordPress WPGraphQL Access Control Error Vulnerability (CNVD-2019-27673)

WordPress is a blogging platform developed by the WordPress Foundation using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WPGraphQL is a plugin that provides an extensible GraphQL architecture and API for WordPress sites. An access control error vulnerabili...

Pwning WordPress GraphQL

Third-party plugins are often the security Achilles heel of Content Management Systems CMS. It seems like not a month goes by without one security researcher or another uncovers a vulnerability in a plugin, undermining the security of the whole platform. Plugins are used to add functionality that...

Insecure Default Configuration

graphql-code-generator contains an insecure default configuration. SSL certificate verification was disabled by default, allowing man-in-the-middle MitM attacks...

Insecure Default Configuration

Overview Versions of graphql-code-generator prior to 0.18.2 have an Insecure Default Configuration. The packages sets NODETLSREJECTUNAUTHORIZED to 0, disabling certificate verification for the entire project. This results in Insecure Communication for the process. Recommendation Upgrade to versio...

Shopify: STAFF member with NO Explicit permissions can view `ActivityFeed` via GraphQL

Hi, This is similar to 95589. I noticed that ActivityFeeds are now being fetched by GraphQL call on Shopify. But from my testing, I noticed that STAFF member with NO EXPLICIT permissions can fetch store's activity feed by calling the vulnerable endpoint. STEPS 1.STAFF member is not assigned any...

HackerOne: Invited team member can disclosure slack channels

Summary: Hello, this report is similar to 505493 also still waiting for response, but accent is totally on another thing. I think it is important and should be fixed, and so i create new report. Invited team member without any permission can disclosure private channel names of slack integration. ...

CVE-2019-1000011

API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability...

CVE-2019-1000011

API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability...

Improper access control

API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability...

CVE-2019-1000011

CVE-2019-1000011 affects API Platform core (PHP) 2.2.0–2.3.5, due to an Incorrect Access Control flaw in GraphQL delete mutations. The vulnerability allows a user who is authorized to delete a resource to delete any resource. The issue’s impact and existence are documented in multiple sources (in...

CVE-2019-1000011

API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability...

Improper Access Control

API Platform contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized...

HackerOne: Confidential data of users and limited metadata of programs and reports accessible via GraphQL

Summary: The GraphQL endpoint doesn't have access controls implemented properly. Description: Any attacker can get personally identifiable information of users of Hackerone such as email address, backup hash codes, facebookuserid, accountrecoveryphonenumberverifiedat, totpenabled, etc. These are...

Shopify: Bypass GraphQL rate limit by abusing negative cost queries

Hi security team, While looking into the graphql app I noticed an interesting implementation where each app has a bucket of query cost they are allowed to used in a given time with a certain refresh rate associated with it. The details can be found at...

CVE-2019-1000011: Access control bypass in GraphQL mutations

Q A Bug fix? yes New feature? no BC breaks? no Deprecations? no Tests pass? yes Fixed tickets 2364 License MIT Doc PR This prevents passing IRIs belonging to different resource classes, which would bypass access control in some instances see 2364...

CVE-2019-1000011: Access control bypass in GraphQL mutations

| Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | 2364 | License | MIT | Doc PR | This prevents passing IRIs belonging to different resource classes, which would bypass access control in some instances s...

HackerOne: Response program can display "eligible for bounty" in scope area in program policy

Hello Hackerone Team and @jobert First of all, Happy new year to everyone. Summary Response program can also display "eligible for bounty" assets on program policy. It's basically causing from backend in terms of GRAPHQL mutation query for eligible in bounty:true which stays forever on response...

Starbucks: Bug in GraphQL and API integration leads to limited user address disclosure

A modified GraphQL query to fetch a user's address book entries led to a limited disclosure of user address book entries. The modified query resulted in a backend API request with undefined as a parameter. The response contained address lists of accounts with a username of undefined. We were not...

HackerOne: Response program can create bounty table

Summary: Follow h1 document https://docs.hackerone.com/programs/bounty-tables.htmlgatsby, create bounty table only available for bounty program. Description: Step1: Create request to graphql entrypoint Step2: Change team id in parameter like this: "teamid":"Z2lkOi8vaGFja2Vyb25lL1RlYW0vMzYyOTE="...