Home > Vulnerability Database > WS-2022-0276

Mend.io Vulnerability Database

WS-2022-0276

Good to know:

Date: November 3, 2024

The default landing page contained HTML to display a sample curl command which is made visible if the full landing page bundle could not be fetched from Apollo's CDN. The server's URL is directly interpolated into this command inside the browser from window.location.href. On some older browsers such as IE11, this value is not URI-encoded. On such browsers, opening a malicious URL pointing at an Apollo Router could cause execution of attacker-controlled JavaScript.

Language: JS

Severity Score

6.1

Related Resources (4)

Url: https://github.com/apollographql/apollo-server/commit/68a439b6e3af9edc8a2480092f2d49f058be1e64

Url: https://github.com/apollographql/apollo-server/security/advisories/GHSA-2fvv-qxrq-7jq6

Url: https://github.com/apollographql/apollo-server

Url: https://www.mend.io/vulnerability-database/WS-2022-0276

Severity Score

6.1

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Top Fix

Upgrade Version

Upgrade to version apollo-server - apollo-server-core@3.10.1

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

WS-2022-0276

Good to know:

Date: November 3, 2024

Language: JS

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?