{"id":"GHSA-p76j-h4m8-hx5c","summary":"Pimcore Demo Allows GraphQL Introspection","details":"Introspection is enabled on `demo.pimcore.fun`. The demo site has graphql as a feature for users, but allows users to run instropection queries, which presents a potential schema information disclosure vulnerability.","aliases":["CVE-2023-5192"],"modified":"2024-02-16T08:12:46.043663Z","published":"2023-09-27T15:30:40Z","database_specific":{"nvd_published_at":"2023-09-27T15:19:42Z","cwe_ids":["CWE-1049","CWE-200"],"severity":"MODERATE","github_reviewed":true,"github_reviewed_at":"2023-09-27T20:24:29Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-5192"},{"type":"WEB","url":"https://github.com/pimcore/demo/pull/437"},{"type":"WEB","url":"https://github.com/pimcore/demo/commit/a2a7ff3b565882aefb759804aac4a51afb458f1f"},{"type":"PACKAGE","url":"https://github.com/pimcore/demo"},{"type":"WEB","url":"https://huntr.dev/bounties/65c954f2-79c3-4672-8846-a3035e7a1db7"}],"affected":[{"package":{"name":"pimcore/demo","ecosystem":"Packagist","purl":"pkg:composer/pimcore/demo"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"10.3.0"}]}],"versions":["10.0.11","v1.0.0","v1.0.1","v1.0.2","v1.1.0","v1.1.1","v1.1.2","v1.1.3","v1.1.4","v1.1.5","v1.1.6","v1.2.0","v1.2.1","v1.2.2","v1.2.3","v1.2.4","v1.2.5","v1.3.0","v1.3.1","v1.3.2","v1.3.3","v1.4.0","v1.4.1","v1.4.10","v1.4.2","v1.4.3","v1.4.4","v1.4.5","v1.4.6","v1.4.7","v1.4.8","v1.4.9","v1.5.0","v1.5.1","v1.5.2","v1.5.3","v1.6.0","v1.6.1","v1.6.10","v1.6.11","v1.6.12","v1.6.13","v1.6.14","v1.6.15","v1.6.16","v1.6.17","v1.6.18","v1.6.19","v1.6.2","v1.6.20","v1.6.21","v1.6.22","v1.6.23","v1.6.24","v1.6.3","v1.6.4","v1.6.5","v1.6.6","v1.6.7","v1.6.8","v1.6.9","v10.0.0","v10.0.1","v10.0.10","v10.0.12","v10.0.13","v10.0.2","v10.0.4","v10.0.5","v10.0.6","v10.0.7","v10.0.8","v10.0.9","v10.1.0","v10.1.1","v10.1.10","v10.1.11","v10.1.12","v10.1.13","v10.1.14","v10.1.15","v10.1.16","v10.1.17","v10.1.2","v10.1.3","v10.1.4","v10.1.5","v10.1.6","v10.1.7","v10.1.8","v10.1.9","v10.2.0","v10.2.1","v10.2.2","v10.2.3","v10.2.4","v10.2.5","v10.2.6"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-p76j-h4m8-hx5c/GHSA-p76j-h4m8-hx5c.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"}]}