What is the severity of CVE-2020-4038?

CVE-2020-4038 has a severe severity rating due to its risk of allowing XSS reflection attacks.

How do I fix CVE-2020-4038?

To fix CVE-2020-4038, upgrade to graphql-playground-html version 1.6.22 or later.

What types of applications are affected by CVE-2020-4038?

CVE-2020-4038 affects applications using the graphql-playground-html, graphql-playground-middleware-express, graphql-playground-middleware-hapi, graphql-playground-middleware-koa, and graphql-playground-middleware-lambda packages.

What kind of vulnerability is CVE-2020-4038?

CVE-2020-4038 is an XSS reflection attack vulnerability due to unsanitized user input in the renderPlaygroundPage() method.

Who should be concerned about CVE-2020-4038?

Developers and organizations using the affected versions of the Prisma GraphQL Playground packages should address CVE-2020-4038 immediately.

Vulnerability/
CVE-2020-4038

high

7.4

CWE

8/6/2020

4/8/2024

CVE-2020-4038: Reflected XSS in GraphQL Playground

First published: Mon Jun 08 2020(Updated: )

GraphQL Playground (graphql-playground-html NPM package) before version 1.6.22 have a severe XSS Reflection attack vulnerability. All unsanitized user input passed into renderPlaygroundPage() method could trigger this vulnerability. This has been patched in graphql-playground-html version 1.6.22. Note that some of the associated dependent middleware packages are also affected including but not limited to graphql-playground-middleware-express before version 1.7.16, graphql-playground-middleware-koa before version 1.6.15, graphql-playground-middleware-lambda before version 1.7.17, and graphql-playground-middleware-hapi before 1.6.13.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Prisma GraphQL Playground HTML	<1.6.22
Prisma GraphQL Playground Middleware Express	<1.7.16
Prisma GraphQL Playground Middleware Hapi	<1.6.13
Prisma GraphQL Playground Middleware Koa	<1.6.15
Prisma GraphQL Playground Middleware	<1.7.17

Remedy

https://github.com/prisma-labs/graphql-playground/commit/bf1883db538c97b076801a60677733816cb3cfb7

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2020-4038?
CVE-2020-4038 has a severe severity rating due to its risk of allowing XSS reflection attacks.
How do I fix CVE-2020-4038?
To fix CVE-2020-4038, upgrade to graphql-playground-html version 1.6.22 or later.
What types of applications are affected by CVE-2020-4038?
CVE-2020-4038 affects applications using the graphql-playground-html, graphql-playground-middleware-express, graphql-playground-middleware-hapi, graphql-playground-middleware-koa, and graphql-playground-middleware-lambda packages.
What kind of vulnerability is CVE-2020-4038?
CVE-2020-4038 is an XSS reflection attack vulnerability due to unsanitized user input in the renderPlaygroundPage() method.
Who should be concerned about CVE-2020-4038?
Developers and organizations using the affected versions of the Prisma GraphQL Playground packages should address CVE-2020-4038 immediately.

agent/type
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/severity
agent/author
agent/weakness
agent/references
agent/remedy
agent/title
agent/description
agent/first-publish-date
agent/event
agent/source
agent/softwarecombine
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/prisma
canonical/prisma graphql playground html
canonical/prisma graphql playground middleware express
canonical/prisma graphql playground middleware hapi
canonical/prisma graphql playground middleware koa
canonical/prisma graphql playground middleware