Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Improper object type validation in saleor
Vulnerability Description
Saleor is a headless, GraphQL commerce platform. In affected versions some GraphQL mutations were not properly checking the ID type input which allowed to access database objects that the authenticated user may not be allowed to access. This vulnerability can be used to expose the following information: Estimating database row counts from tables with a sequential primary key or Exposing staff user and customer email addresses and full name through the `assignNavigation()` mutation. This issue has been patched in main and backported to multiple releases (3.7.17, 3.6.18, 3.5.23, 3.4.24, 3.3.26, 3.2.14, 3.1.24). Users are advised to upgrade. There are no known workarounds for this issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
授权机制不正确
Vulnerability Title
saleor 输入验证错误漏洞
Vulnerability Description
Github saleor是一个无头的 GraphQL 商务平台,提供超快速、动态、个性化的购物体验。美丽的在线商店,在任何地方,在任何设备上。 saleor 存在输入验证错误漏洞,该漏洞源于一些GraphQL mutations没有正确检查允许访问经过身份验证的用户可能不允许访问的数据库对象的ID类型输入导致攻击者可能获取员工用户和客户电子邮件地址和全名。
CVSS Information
N/A
Vulnerability Type
N/A