CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31485 – GraphQL grant on a property might be cached with different objects
https://notcve.org/view.php?id=CVE-2025-31485
03 Apr 2025 — API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method is meant to prevent the caching but the parent::normalize method that is called afterwards still creates the cache key and causes the issue. This vulnerability is fixed in 4.0.22. API Platform Core es un sistema para crear API REST y GraphQL basadas en hipermedia. • https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8 • CWE-696: Incorrect Behavior Order •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31481 – GraphQL query operations security can be bypassed
https://notcve.org/view.php?id=CVE-2025-31481
03 Apr 2025 — API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Using the Relay special node type you can bypass the configured security on an operation. This vulnerability is fixed in 4.0.22. API Platform Core es un sistema para crear API REST y GraphQL basadas en hipermedia. Mediante el tipo de nodo especial Relay, se puede eludir la seguridad configurada en una operación. • https://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568 • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47639 – API Platform Core can leak exceptions message that may contain sensitive information
https://notcve.org/view.php?id=CVE-2023-47639
03 Apr 2025 — API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. From 3.2.0 until 3.2.4, exception messages, that are not HTTP exceptions, are visible in the JSON error response. This vulnerability is fixed in 3.2.5. API Platform Core es un sistema para crear API REST y GraphQL basadas en hipermedia. Desde la versión 3.2.0 hasta la 3.2.4, los mensajes de excepción que no son excepciones HTTP son visibles en la respuesta de error JSON. • https://github.com/api-platform/core/commit/ba8a7e6538bccebf14c228e43a9339214c4d9201 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23204 – GraphQl securityAfterResolver not called
https://notcve.org/view.php?id=CVE-2025-23204
24 Mar 2025 — API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to `security`, the impact is there only when there's only a security after resolver and none inside security. Version 3.3.15 contains a patch for the issue. • https://github.com/api-platform/core/commit/dc4fc84ba93e22b4f44a37e90a93c6d079c1c620 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5192 – Excessive Data Query Operations in a Large Data Table in pimcore/demo
https://notcve.org/view.php?id=CVE-2023-5192
26 Sep 2023 — Excessive Data Query Operations in a Large Data Table in GitHub repository pimcore/demo prior to 10.3.0. Operaciones excesivas de consulta de datos en una tabla de datos grande en el repositorio de GitHub pimcore/demo antes de 10.3.0. • https://github.com/pimcore/demo/commit/a2a7ff3b565882aefb759804aac4a51afb458f1f • CWE-1049: Excessive Data Query Operations in a Large Data Table •
CVSS: 7.7EPSS: 0%CPEs: 3EXPL: 0CVE-2023-25575 – Secured properties in API Platform Core may be accessible within collections
https://notcve.org/view.php?id=CVE-2023-25575
28 Feb 2023 — API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Resource properties secured with the `security` option of the `ApiPlatform\Metadata\ApiProperty` attribute can be disclosed to unauthorized users. The problem affects most serialization formats, including raw JSON, which is enabled by default when installing API Platform. Custom serialization formats may also be impacted. Only collection endpoints are affected by the issue, item endpoints are not. • https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb • CWE-842: Placement of User into Incorrect Group CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 15%CPEs: 2EXPL: 1CVE-2022-29777
https://notcve.org/view.php?id=CVE-2022-29777
01 Jun 2022 — Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a heap overflow via the component DesktopEditor/fontengine/fontconverter/FontFileBase.h. Se ha detectado que Onlyoffice Document Server versiones v6.0.0 y anteriores y Core versiones 6.1.0.26 y anteriores, contienen un desbordamiento de pila por medio del componente DesktopEditor/fontengine/fontconverter/FontFileBase.h • https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#601 • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 15%CPEs: 2EXPL: 1CVE-2022-29776
https://notcve.org/view.php?id=CVE-2022-29776
01 Jun 2022 — Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via the component DesktopEditor/common/File.cpp. Se ha detectado que Onlyoffice Document Server versiones v6.0.0 y anteriores y Core versiones 6.1.0.26 y anteriores, contenían un desbordamiento de pila por medio del componente DesktopEditor/common/File.cpp • https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#601 • CWE-787: Out-of-bounds Write •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2021-38144
https://notcve.org/view.php?id=CVE-2021-38144
31 Aug 2021 — An issue was discovered in Form Tools through 3.0.20. A low-privileged user can trigger Reflected XSS when a viewing a form via the submission_id parameter, e.g., clients/forms/edit_submission.php?form_id=1&view_id=1&submission_id=[XSS]. Se ha detectado un problema en Form Tools versiones hasta 3.0.20. Un usuario poco privilegiado puede desencadenar un ataque de tipo XSS Reflejado cuando visualiza un formulario por medio del parámetro submission_id, por ejemplo, clients/forms/edit_submission.php? • https://bernardofsr.github.io/blog/2021/form-tools • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 2CVE-2021-38143
https://notcve.org/view.php?id=CVE-2021-38143
31 Aug 2021 — An issue was discovered in Form Tools through 3.0.20. When an administrator creates a customer account, it is possible for the customer to log in and proceed with a change of name and last name. However, these fields are vulnerable to XSS payload insertion, being triggered in the admin panel when the admin tries to see the client list. This type of XSS (stored) can lead to the extraction of the PHPSESSID cookie belonging to the admin. Se ha detectado un problema en Form Tools versiones hasta 3.0.20. • https://bernardofsr.github.io/blog/2021/form-tools • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •