Lucene search
+L

242 matches found

Github Security Blog
Github Security Blog
added 2022/05/24 5:9 p.m.19 views

Silverstripe CSRF Protection Bypass via GraphQL

In SilverStripe/GraphQL prior to 2.0.5 and 3.1.2, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations...

8.8CVSS6.9AI score0.00742EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2022/05/24 5:9 p.m.10 views

GHSA-FX37-56V6-85Q6 Silverstripe CSRF Protection Bypass via GraphQL

In SilverStripe/GraphQL prior to 2.0.5 and 3.1.2, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations...

8.8CVSS8.7AI score0.00742EPSS
Exploits0References6
Kitploit
Kitploit
added 2022/05/23 9:30 p.m.35 views

Frelatage - The Python Fuzzer That The World Deserves

pip3 install frelatage Current release :0.0.7 Frelatage is a coverage-based Python fuzzing library which can be used to fuzz python code. The development of Frelatage was inspired by various other fuzzers, including AFL/AFL++, Atheris and PythonFuzz. The main purpose of the project is to take...

7AI score
Exploits0References13
OpenVAS
OpenVAS
added 2022/01/28 12:0 a.m.24 views

Mageia: Security Advisory (MGASA-2019-0131)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

8.8CVSS9.5AI score0.29514EPSS
Exploits13References5
ThreatPost
ThreatPost
added 2021/12/13 6:14 p.m.57 views

Log4Shell Is Spawning Even Nastier Mutations

The internet has a fast-spreading, malignant cancer – otherwise known as the Apache Log4j logging library exploit – that’s been rapidly mutating and attracting swarms of attackers since it was publicly disclosed last week. Most of the attacks focus on cryptocurrency mining done on victims’ dimes,...

10CVSS10AI score0.99999EPSS
Exploits355References52
OSV
OSV
added 2021/07/07 12:15 p.m.19 views

CVE-2021-22224

A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim...

6.5CVSS6.3AI score0.00893EPSS
Exploits0References3
UbuntuCve
UbuntuCve
added 2021/07/07 12:15 p.m.29 views

CVE-2021-22224

A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim...

7.1CVSS6.7AI score0.00893EPSS
Exploits0References4
OSV
OSV
added 2021/07/07 12:15 p.m.3 views

UBUNTU-CVE-2021-22224

A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim...

7.1CVSS5.7AI score0.00893EPSS
Exploits0References5
Debian CVE
Debian CVE
added 2021/07/07 11:26 a.m.29 views

CVE-2021-22224

Removed by vendor...

7.1CVSS6.8AI score0.00893EPSS
Exploits0
Kitploit
Kitploit
added 2021/06/06 12:30 p.m.221 views

Typodetect - Detect The Active Mutations Of Domains

This tool gives blue teams, SOC's, researchers and companies the ability to detect the active mutations of their domains, thus preventing the use of these domains in fraudulent activities, such as phishing and smishing. For this, Typodetect allows the use of the latest available version of the TL...

7.3AI score
Exploits0References1
UbuntuCve
UbuntuCve
added 2021/05/06 2:15 p.m.23 views

CVE-2021-22209

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed...

7.5CVSS6.9AI score0.00934EPSS
Exploits0References3
FreeBSD
FreeBSD
added 2021/04/28 12:0 a.m.41 views

Gitlab -- Vulnerabilities

Gitlab reports: Read API scoped tokens can execute mutations Pull mirror credentials were exposed Denial of Service when querying repository branches API Non-owners can set systemnotetimestamp when creating / updating issues DeployToken will impersonate a User with the same ID when using Dependen...

7.5CVSS3.3AI score0.0115EPSS
Exploits0References1
Hacker One
Hacker One
added 2021/03/10 4:49 p.m.29 views

GitLab: CSRF on /api/graphql allows executing mutations through GET requests

Mutations are edit or create queries used in Graphql. Gitlab prevents CSRF in this functionality by sending a POST request with a X-CSRF-Token header. The bug I found here was that, when we send a GET request, the backend does not expect the X-CSRF-Token header. Using this, an attacker could...

Exploits0
Positive Technologies
Positive Technologies
added 2021/01/05 12:0 a.m.3 views

PT-2021-4079 · Gitlab · Gitlab Ce/Ee +1

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 13.8 and later Description: The issue is related to improper validation of authorization tokens in GitLab, which can result in the execution of GraphQL mutations. This can potentially allow a remote attacker to impact da...

7.5CVSS7.2AI score0.00934EPSS
Exploits0References13
Kitploit
Kitploit
added 2020/03/15 9:30 p.m.95 views

AWSGen.py - Generates Permutations, Alterations And Mutations Of AWS S3 Buckets Names

AWSGen.py is a simple tool for generates permutations, alterations and mutations of AWS S3 Buckets Names. Download AWSGen.py...

7.4AI score
Exploits0References1
NVD
NVD
added 2020/02/19 5:15 p.m.17 views

CVE-2019-12437

In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations,...

8.8CVSS8.8AI score0.00742EPSS
Exploits0References3
Cvelist
Cvelist
added 2020/01/24 7:38 p.m.26 views

CVE-2020-7964

An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect access control in the checkoutCustomerAttach mutations allows attackers to attach their checkouts to any user ID and consequently leak user data e.g., name, address, and previous orders of any other customer...

5.2AI score0.01083EPSS
Exploits0References2
Ivan 'd0znpp' Novikov
Ivan 'd0znpp' Novikov
added 2019/10/16 5:10 p.m.60 views

Security testing guide for JSON / REST APIs #1/3

Fuzzing is everything ; It’s the most useful and resultative hacking technique for sure. At the same time, fuzzing is not just random hitting applications or binaries with some random bytes. It’s more about ideas, a deep understanding of data formats and application flows, technology stacks, and ...

0.3AI score
Exploits0
Github Security Blog
Github Security Blog
added 2019/10/14 9:23 p.m.50 views

Incorrect Access Control vulnerability in api-platform/core

API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability...

6.5CVSS5.5AI score0.01024EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2019/10/14 9:23 p.m.21 views

GHSA-974J-WJXX-WGGJ Incorrect Access Control vulnerability in api-platform/core

API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability...

6.5CVSS6.4AI score0.01024EPSS
Exploits0References4
Rows per page
Query Builder