Overview
- Description
- GraphQL Playground (graphql-playground-html NPM package) before version 1.6.22 have a severe XSS Reflection attack vulnerability. All unsanitized user input passed into renderPlaygroundPage() method could trigger this vulnerability. This has been patched in graphql-playground-html version 1.6.22. Note that some of the associated dependent middleware packages are also affected including but not limited to graphql-playground-middleware-express before version 1.7.16, graphql-playground-middleware-koa before version 1.6.15, graphql-playground-middleware-lambda before version 1.7.17, and graphql-playground-middleware-hapi before 1.6.13.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 7.4
- Impact score
- 4
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
- Severity
- HIGH
CVSS 2.0
- Type
- Primary
- Base score
- 4.3
- Impact score
- 2.9
- Exploitability score
- 8.6
- Vector string
- AV:N/AC:M/Au:N/C:N/I:P/A:N
Weaknesses
- security-advisories@github.com
- CWE-79
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prisma:graphql-playground-html:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "ABADBEC8-9462-4D41-9CF2-AAE06F44B192",
"versionEndExcluding": "1.6.22"
},
{
"criteria": "cpe:2.3:a:prisma:graphql-playground-middleware-express:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "8277C213-ED4A-495C-8F78-3A6BAB562EEA",
"versionEndExcluding": "1.7.16"
},
{
"criteria": "cpe:2.3:a:prisma:graphql-playground-middleware-hapi:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "8FF9861D-5F51-4395-8399-B20E883D1AE4",
"versionEndExcluding": "1.6.13"
},
{
"criteria": "cpe:2.3:a:prisma:graphql-playground-middleware-koa:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "2CEB6EE1-895A-4729-9E77-64B758B1F8A9",
"versionEndExcluding": "1.6.15"
},
{
"criteria": "cpe:2.3:a:prisma:graphql-playground-middleware-lambda:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "A2DF5937-B97F-4B80-9258-4F289B450F3E",
"versionEndExcluding": "1.7.17"
}
],
"operator": "OR"
}
]
}
]