Summary: Hello team, While testing the analytics reports functionality for an organization, I realized that organization members can delete reports created for a team they have no access to. If an or ...
Continue Reading
December 15, 2023
Improper access control in the GraphQL API in GitLab CE/EE affecting all versions starting from 13.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 befor ...
Continue Reading
December 15, 2023
A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An ap ...
Continue Reading
December 15, 2023
Geth (aka go-ethereum) through 1.13.4, when `--http --graphql` is used, allows remote attackers to cause a denial of service (memory consumption and daemon hang) via a crafted GraphQL query. NOTE: the ...
Continue Reading
December 15, 2023
quarkus-smallrye-graphql is vulnerable to Authorization Bypass. The vulnerability is due to doHandle function in SmallRyeGraphQLOverWebSocketHandler.java file there are no checks to ensure that the us ...
Continue Reading
December 15, 2023
A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentic ...
Continue Reading
December 15, 2023
@graphql-mesh/runtime is vulnerable to Denial Of Service (DoS). This vulnerability exists due to improper transforms at the root level, allowing an attacker to send duplicate queries with different va ...
Continue Reading
December 15, 2023
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8, and 13.3.4. An insufficient check in the GraphQL api allowed a maintainer to delete a repository.Read More ...
Continue Reading
December 15, 2023
Back to Main
