Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ezplatform-graphql GraphQL queries can expose password hashes
Vulnerability Description
ezplatform-graphql is a GraphQL server implementation for Ibexa DXP and Ibexa Open Source. Versions prior to 2.3.12 and 1.0.13 are subject to Insecure Storage of Sensitive Information. Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically administrators and editors. This issue has been patched in versions 2.3.12, and 1.0.13 on the 1.X branch. Users unable to upgrade can remove the "passwordHash" entry from "src/bundle/Resources/config/graphql/User.types.yaml" in the GraphQL package, and other properties like hash type, email, login if you prefer.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
信息暴露
Vulnerability Title
Ibexa GraphQL Bundle 安全漏洞
Vulnerability Description
Ibexa GraphQL Bundle是Ibexa开源的一个 eZ 平台的 GraphQL 服务器,开源 Symfony CMS。 Ibexa GraphQL Bundle 2.3.12之前的版本和1.0.13版本存在安全漏洞,该漏洞源于其对敏感信息的不安全存储导致经过身份验证的对用户帐户的GraphQL查询会暴露创建或修改内容的用户(通常是管理员和编辑)的密码散列。
CVSS Information
N/A
Vulnerability Type
N/A