Type Confusion

strawberrygraphql is vulnerable to Type Confusion. The vulnerability is due to improper handling of GraphQL types when multiple types are mapped to the same underlying model while using the relay node interface, allows an attacker to exploit type confusion to access or manipulate data from...

Heartbeat not seen on one interface of one node in a HA pair

HA setup configured. On one of the nodes, we see that heartbeat not found on interface 0/1. On one of the nodes, when the command "show HA node" is executed, we see the following: Interfaces on which heartbeats are not seen : 0/1 On the other node, we see the following: Interfaces on which...

HackerOne: GraphQL node interface for ActiveResource models lacks encoding for resource identifier, enabling parameter injection in Payments backend

HackerOne exposes a small number of ActiveResource objects through its GraphQL node interface. ActiveResource objects use HTTP as transport layer in order to fetch data. Four of these models, TaxForm, Payout, Payment, and PayoutPreference are fetched from an internal Payments backend system with ...

HackerOne: Embedded submission form UUIDs can be enumerated through GraphQL node interface, exposing sensitive program details

It's possible for an attacker to enumerate embedded submission form UUIDs through HackerOne's GraphQL node interface. In normal application behavior, an embedded submission form is queried through GraphQL with a UUID. These UUIDs are random and they're not susceptible to brute force attacks...