Description

ezplatform-graphql is a GraphQL server implementation for Ibexa DXP and Ibexa Open Source. Versions prior to 2.3.12 and 1.0.13 are subject to Insecure Storage of Sensitive Information. Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically administrators and editors. This issue has been patched in versions 2.3.12, and 1.0.13 on the 1.X branch. Users unable to upgrade can remove the "passwordHash" entry from "src/bundle/Resources/config/graphql/User.types.yaml" in the GraphQL package, and other properties like hash type, email, login if you prefer.

Related CPE's

a

ibexa

ezplatform-graphql

3

References

https://github.com/ezsystems/ezplatform-graphql/security/advisories/GHSA-c7pc-pgf6-mfh5

Third Party Advisory

Weaknesses

[email protected]

Primary
CWE-922

[email protected]

Secondary
CWE-200CWE-922

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.3 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2022-11-10T21:15:10.740

2 years ago

Last modified

2022-11-15T20:10:56.547

2 years ago