Incorrect Access Control in GraphQL Delete Mutations of API Platform by API Platform
CVE-2019-1000011

6.5MEDIUM

Key Information:

Status
Vendor
CVE Published:
4 February 2019

What is CVE-2019-1000011?

The API Platform, specifically versions 2.2.0 to 2.3.5, suffers from an Incorrect Access Control vulnerability within its GraphQL delete mutations. This security flaw allows an authorized user, who should only be able to delete specific resources, to delete any resource within the platform. This could lead to unauthorized data manipulation and loss. The issue has been addressed in version 2.3.6, highlighting the importance of updating to secure sensitive operations within the application.

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.