242 matches found
Silverstripe CSRF Protection Bypass via GraphQL
In SilverStripe/GraphQL prior to 2.0.5 and 3.1.2, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations...
GHSA-FX37-56V6-85Q6 Silverstripe CSRF Protection Bypass via GraphQL
In SilverStripe/GraphQL prior to 2.0.5 and 3.1.2, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations...
Frelatage - The Python Fuzzer That The World Deserves
pip3 install frelatage Current release :0.0.7 Frelatage is a coverage-based Python fuzzing library which can be used to fuzz python code. The development of Frelatage was inspired by various other fuzzers, including AFL/AFL++, Atheris and PythonFuzz. The main purpose of the project is to take...
Mageia: Security Advisory (MGASA-2019-0131)
The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Log4Shell Is Spawning Even Nastier Mutations
The internet has a fast-spreading, malignant cancer – otherwise known as the Apache Log4j logging library exploit – that’s been rapidly mutating and attracting swarms of attackers since it was publicly disclosed last week. Most of the attacks focus on cryptocurrency mining done on victims’ dimes,...
CVE-2021-22224
A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim...
CVE-2021-22224
A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim...
UBUNTU-CVE-2021-22224
A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim...
CVE-2021-22224
Removed by vendor...
Typodetect - Detect The Active Mutations Of Domains
This tool gives blue teams, SOC's, researchers and companies the ability to detect the active mutations of their domains, thus preventing the use of these domains in fraudulent activities, such as phishing and smishing. For this, Typodetect allows the use of the latest available version of the TL...
CVE-2021-22209
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed...
Gitlab -- Vulnerabilities
Gitlab reports: Read API scoped tokens can execute mutations Pull mirror credentials were exposed Denial of Service when querying repository branches API Non-owners can set systemnotetimestamp when creating / updating issues DeployToken will impersonate a User with the same ID when using Dependen...
GitLab: CSRF on /api/graphql allows executing mutations through GET requests
Mutations are edit or create queries used in Graphql. Gitlab prevents CSRF in this functionality by sending a POST request with a X-CSRF-Token header. The bug I found here was that, when we send a GET request, the backend does not expect the X-CSRF-Token header. Using this, an attacker could...
PT-2021-4079 · Gitlab · Gitlab Ce/Ee +1
Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 13.8 and later Description: The issue is related to improper validation of authorization tokens in GitLab, which can result in the execution of GraphQL mutations. This can potentially allow a remote attacker to impact da...
AWSGen.py - Generates Permutations, Alterations And Mutations Of AWS S3 Buckets Names
AWSGen.py is a simple tool for generates permutations, alterations and mutations of AWS S3 Buckets Names. Download AWSGen.py...
CVE-2019-12437
In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations,...
CVE-2020-7964
An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect access control in the checkoutCustomerAttach mutations allows attackers to attach their checkouts to any user ID and consequently leak user data e.g., name, address, and previous orders of any other customer...
Security testing guide for JSON / REST APIs #1/3
Fuzzing is everything ; It’s the most useful and resultative hacking technique for sure. At the same time, fuzzing is not just random hitting applications or binaries with some random bytes. It’s more about ideas, a deep understanding of data formats and application flows, technology stacks, and ...
Incorrect Access Control vulnerability in api-platform/core
API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability...
GHSA-974J-WJXX-WGGJ Incorrect Access Control vulnerability in api-platform/core
API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability...