CVE-2020-4038
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
08/06/2020
Last modified:
12/06/2020
Description
GraphQL Playground (graphql-playground-html NPM package) before version 1.6.22 have a severe XSS Reflection attack vulnerability. All unsanitized user input passed into renderPlaygroundPage() method could trigger this vulnerability. This has been patched in graphql-playground-html version 1.6.22. Note that some of the associated dependent middleware packages are also affected including but not limited to graphql-playground-middleware-express before version 1.7.16, graphql-playground-middleware-koa before version 1.6.15, graphql-playground-middleware-lambda before version 1.7.17, and graphql-playground-middleware-hapi before 1.6.13.
Impact
Base Score 3.x
7.40
Severity 3.x
HIGH
Base Score 2.0
4.30
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:prisma:graphql-playground-html:*:*:*:*:*:node.js:*:* | 1.6.22 (excluding) | |
| cpe:2.3:a:prisma:graphql-playground-middleware-express:*:*:*:*:*:node.js:*:* | 1.7.16 (excluding) | |
| cpe:2.3:a:prisma:graphql-playground-middleware-hapi:*:*:*:*:*:node.js:*:* | 1.6.13 (excluding) | |
| cpe:2.3:a:prisma:graphql-playground-middleware-koa:*:*:*:*:*:node.js:*:* | 1.6.15 (excluding) | |
| cpe:2.3:a:prisma:graphql-playground-middleware-lambda:*:*:*:*:*:node.js:*:* | 1.7.17 (excluding) |
To consult the complete list of CPE names with products and versions, see this page