{"containers": {"cna": {"affected": [{"product": "graphql-playground", "vendor": "prisma-labs", "versions": [{"status": "affected", "version": "< 1.6.22"}]}], "descriptions": [{"lang": "en", "value": "GraphQL Playground (graphql-playground-html NPM package) before version 1.6.22 have a severe XSS Reflection attack vulnerability. All unsanitized user input passed into renderPlaygroundPage() method could trigger this vulnerability. This has been patched in graphql-playground-html version 1.6.22. Note that some of the associated dependent middleware packages are also affected including but not limited to graphql-playground-middleware-express before version 1.7.16, graphql-playground-middleware-koa before version 1.6.15, graphql-playground-middleware-lambda before version 1.7.17, and graphql-playground-middleware-hapi before 1.6.13."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-06-08T20:40:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/prisma-labs/graphql-playground/commit/bf1883db538c97b076801a60677733816cb3cfb7"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/prisma-labs/graphql-playground#security-details"}], "source": {"advisory": "GHSA-4852-vrh7-28rf", "discovery": "UNKNOWN"}, "title": "Reflected XSS in GraphQL Playground", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-4038", "STATE": "PUBLIC", "TITLE": "Reflected XSS in GraphQL Playground"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "graphql-playground", "version": {"version_data": [{"version_value": "< 1.6.22"}]}}]}, "vendor_name": "prisma-labs"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "GraphQL Playground (graphql-playground-html NPM package) before version 1.6.22 have a severe XSS Reflection attack vulnerability. All unsanitized user input passed into renderPlaygroundPage() method could trigger this vulnerability. This has been patched in graphql-playground-html version 1.6.22. Note that some of the associated dependent middleware packages are also affected including but not limited to graphql-playground-middleware-express before version 1.7.16, graphql-playground-middleware-koa before version 1.6.15, graphql-playground-middleware-lambda before version 1.7.17, and graphql-playground-middleware-hapi before 1.6.13."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf", "refsource": "CONFIRM", "url": "https://github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf"}, {"name": "https://github.com/prisma-labs/graphql-playground/commit/bf1883db538c97b076801a60677733816cb3cfb7", "refsource": "MISC", "url": "https://github.com/prisma-labs/graphql-playground/commit/bf1883db538c97b076801a60677733816cb3cfb7"}, {"name": "https://github.com/prisma-labs/graphql-playground#security-details", "refsource": "MISC", "url": "https://github.com/prisma-labs/graphql-playground#security-details"}]}, "source": {"advisory": "GHSA-4852-vrh7-28rf", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T07:52:20.823Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/prisma-labs/graphql-playground/commit/bf1883db538c97b076801a60677733816cb3cfb7"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/prisma-labs/graphql-playground#security-details"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-4038", "datePublished": "2020-06-08T20:40:12", "dateReserved": "2019-12-30T00:00:00", "dateUpdated": "2024-08-04T07:52:20.823Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:prisma:graphql-playground-html:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "ABADBEC8-9462-4D41-9CF2-AAE06F44B192", "versionEndExcluding": "1.6.22", "vulnerable": true}, {"criteria": "cpe:2.3:a:prisma:graphql-playground-middleware-express:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "8277C213-ED4A-495C-8F78-3A6BAB562EEA", "versionEndExcluding": "1.7.16", "vulnerable": true}, {"criteria": "cpe:2.3:a:prisma:graphql-playground-middleware-hapi:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "8FF9861D-5F51-4395-8399-B20E883D1AE4", "versionEndExcluding": "1.6.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:prisma:graphql-playground-middleware-koa:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "2CEB6EE1-895A-4729-9E77-64B758B1F8A9", "versionEndExcluding": "1.6.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:prisma:graphql-playground-middleware-lambda:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "A2DF5937-B97F-4B80-9258-4F289B450F3E", "versionEndExcluding": "1.7.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GraphQL Playground (graphql-playground-html NPM package) before version 1.6.22 have a severe XSS Reflection attack vulnerability. All unsanitized user input passed into renderPlaygroundPage() method could trigger this vulnerability. This has been patched in graphql-playground-html version 1.6.22. Note that some of the associated dependent middleware packages are also affected including but not limited to graphql-playground-middleware-express before version 1.7.16, graphql-playground-middleware-koa before version 1.6.15, graphql-playground-middleware-lambda before version 1.7.17, and graphql-playground-middleware-hapi before 1.6.13."}, {"lang": "es", "value": "GraphQL Playground (paquete Graphql-playground-html NPM) versi\u00f3n anterior a 1.6.22, presenta una grave vulnerabilidad de ataque de Reflexi\u00f3n XSS. Toda entrada de usuario no saneada que es pasada al m\u00e9todo renderPlaygroundPage() podr\u00eda desencadenar esta vulnerabilidad. Esto ha sido parcheado en graphql-playground-html versi\u00f3n 1.6.22. Tome en cuenta que algunos de los paquetes de middleware dependientes asociados tambi\u00e9n est\u00e1n afectados, incluidos, entre otros, graphql-playground-middleware-express versi\u00f3n anterior a 1.7.16, graphql-playground-middleware-koa versi\u00f3n anterior a 1.6.15, graphql-playground-middleware-lambda versi\u00f3n anterior a 1.7.17, y graphql-playground-middleware-hapi versi\u00f3n anterior a 1.6.13"}], "id": "CVE-2020-4038", "lastModified": "2020-06-12T14:38:19.707", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-06-08T21:15:09.923", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/prisma-labs/graphql-playground#security-details"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/prisma-labs/graphql-playground/commit/bf1883db538c97b076801a60677733816cb3cfb7"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}