CVE-2020-4038

{"id": "CVE-2020-4038", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 2.8}]}, "published": "2020-06-08T21:15:09.923", "references": [{"url": "https://github.com/prisma-labs/graphql-playground#security-details", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/prisma-labs/graphql-playground/commit/bf1883db538c97b076801a60677733816cb3cfb7", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf", "tags": ["Mitigation", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "GraphQL Playground (graphql-playground-html NPM package) before version 1.6.22 have a severe XSS Reflection attack vulnerability. All unsanitized user input passed into renderPlaygroundPage() method could trigger this vulnerability. This has been patched in graphql-playground-html version 1.6.22. Note that some of the associated dependent middleware packages are also affected including but not limited to graphql-playground-middleware-express before version 1.7.16, graphql-playground-middleware-koa before version 1.6.15, graphql-playground-middleware-lambda before version 1.7.17, and graphql-playground-middleware-hapi before 1.6.13."}, {"lang": "es", "value": "GraphQL Playground (paquete Graphql-playground-html NPM) versi\u00f3n anterior a 1.6.22, presenta una grave vulnerabilidad de ataque de Reflexi\u00f3n XSS. Toda entrada de usuario no saneada que es pasada al m\u00e9todo renderPlaygroundPage() podr\u00eda desencadenar esta vulnerabilidad. Esto ha sido parcheado en graphql-playground-html versi\u00f3n 1.6.22. Tome en cuenta que algunos de los paquetes de middleware dependientes asociados tambi\u00e9n est\u00e1n afectados, incluidos, entre otros, graphql-playground-middleware-express versi\u00f3n anterior a 1.7.16, graphql-playground-middleware-koa versi\u00f3n anterior a 1.6.15, graphql-playground-middleware-lambda versi\u00f3n anterior a 1.7.17, y graphql-playground-middleware-hapi versi\u00f3n anterior a 1.6.13"}], "lastModified": "2020-06-12T14:38:19.707", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:prisma:graphql-playground-html:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "ABADBEC8-9462-4D41-9CF2-AAE06F44B192", "versionEndExcluding": "1.6.22"}, {"criteria": "cpe:2.3:a:prisma:graphql-playground-middleware-express:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "8277C213-ED4A-495C-8F78-3A6BAB562EEA", "versionEndExcluding": "1.7.16"}, {"criteria": "cpe:2.3:a:prisma:graphql-playground-middleware-hapi:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "8FF9861D-5F51-4395-8399-B20E883D1AE4", "versionEndExcluding": "1.6.13"}, {"criteria": "cpe:2.3:a:prisma:graphql-playground-middleware-koa:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "2CEB6EE1-895A-4729-9E77-64B758B1F8A9", "versionEndExcluding": "1.6.15"}, {"criteria": "cpe:2.3:a:prisma:graphql-playground-middleware-lambda:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "A2DF5937-B97F-4B80-9258-4F289B450F3E", "versionEndExcluding": "1.7.17"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}