You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The value of the GET parameter query is returned unescaped in the main block of inline JavaScript. Without Content Security Policy (CSP), one is able to break out of the config variable and execute arbitrary JavaScript.
The value of the GET parameter query is returned unescaped in the main block of inline JavaScript. Without Content Security Policy (CSP), one is able to break out of the config variable and execute arbitrary JavaScript.
It appears that
graphiql_workspace.html.eexrenders the page with thequery_stringvariable. This template is loaded byAbsinthe.Plug.GraphiQLwhich attempts to escape the query parameter. It is trivial to bypass this escaping with a backslash.Steps to Reproduce
/api/v2_alpha/graphiql?query=xxx\%27});confirm(document.domain);%20var%20x=new%20graphiqlWorkspace.AppConfig(%22x%22,{//.document.domain.Credits
40826d uncovered this vulnerability and wrote the initial draft of this bug report
The text was updated successfully, but these errors were encountered: