CVE-2020-4038

Published: Jun 8, 2020Modified: Nov 21, 2024

7.4

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 4.0

Source: NVD

Description

GraphQL Playground (graphql-playground-html NPM package) before version 1.6.22 have a severe XSS Reflection attack vulnerability. All unsanitized user input passed into renderPlaygroundPage() method could trigger this vulnerability. This has been patched in graphql-playground-html version 1.6.22. Note that some of the associated dependent middleware packages are also affected including but not limited to graphql-playground-middleware-express before version 1.7.16, graphql-playground-middleware-koa before version 1.6.15, graphql-playground-middleware-lambda before version 1.7.17, and graphql-playground-middleware-hapi before 1.6.13.

Affected (5)

Products: Prisma: Graphql Playground Html, Graphql Playground Middleware Express, Graphql Playground Middleware Hapi, Graphql Playground Middleware Koa, Graphql Playground Middleware Lambda

Prisma

5 products

Graphql Playground Html

Graphql Playground Middleware Express

Graphql Playground Middleware Hapi

Graphql Playground Middleware Koa

Graphql Playground Middleware Lambda

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Prisma Graphql Playground Html	Before 1.6.22
Prisma Graphql Playground Middleware Express	Before 1.7.16
Prisma Graphql Playground Middleware Hapi	Before 1.6.13
Prisma Graphql Playground Middleware Koa	Before 1.6.15
Prisma Graphql Playground Middleware Lambda	Before 1.7.17