Vulnerability Details CVE-2020-4038
GraphQL Playground (graphql-playground-html NPM package) before version 1.6.22 have a severe XSS Reflection attack vulnerability. All unsanitized user input passed into renderPlaygroundPage() method could trigger this vulnerability. This has been patched in graphql-playground-html version 1.6.22. Note that some of the associated dependent middleware packages are also affected including but not limited to graphql-playground-middleware-express before version 1.7.16, graphql-playground-middleware-koa before version 1.6.15, graphql-playground-middleware-lambda before version 1.7.17, and graphql-playground-middleware-hapi before 1.6.13.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.335
EPSS Ranking 96.7%
CVSS Severity
CVSS v3 Score 7.4
CVSS v2 Score 4.3
References
- https://github.com/prisma-labs/graphql-playground#security-details
- https://github.com/prisma-labs/graphql-playground/commit/bf1883db538c97b076801a60677733816cb3cfb7
- https://github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf
- https://github.com/prisma-labs/graphql-playground#security-details
- https://github.com/prisma-labs/graphql-playground/commit/bf1883db538c97b076801a60677733816cb3cfb7
- https://github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf
Products affected by CVE-2020-4038
-
cpe:2.3:a:prisma:graphql-playground-html:1.3.10
-
cpe:2.3:a:prisma:graphql-playground-html:1.3.11
-
cpe:2.3:a:prisma:graphql-playground-html:1.3.12
-
cpe:2.3:a:prisma:graphql-playground-html:1.3.13
-
cpe:2.3:a:prisma:graphql-playground-html:1.3.5
-
cpe:2.3:a:prisma:graphql-playground-html:1.3.6
-
cpe:2.3:a:prisma:graphql-playground-html:1.3.7
-
cpe:2.3:a:prisma:graphql-playground-html:1.4.0
-
cpe:2.3:a:prisma:graphql-playground-html:1.4.1
-
cpe:2.3:a:prisma:graphql-playground-html:1.4.2
-
cpe:2.3:a:prisma:graphql-playground-html:1.4.3
-
cpe:2.3:a:prisma:graphql-playground-html:1.4.4
-
cpe:2.3:a:prisma:graphql-playground-html:1.5.0
-
cpe:2.3:a:prisma:graphql-playground-html:1.5.2
-
cpe:2.3:a:prisma:graphql-playground-html:1.5.3
-
cpe:2.3:a:prisma:graphql-playground-html:1.5.4
-
cpe:2.3:a:prisma:graphql-playground-html:1.5.5
-
cpe:2.3:a:prisma:graphql-playground-html:1.5.6
-
cpe:2.3:a:prisma:graphql-playground-html:1.6.0
-
cpe:2.3:a:prisma:graphql-playground-html:1.6.10
-
cpe:2.3:a:prisma:graphql-playground-html:1.6.11
-
cpe:2.3:a:prisma:graphql-playground-html:1.6.12
-
cpe:2.3:a:prisma:graphql-playground-html:1.6.13
-
cpe:2.3:a:prisma:graphql-playground-html:1.6.14
-
cpe:2.3:a:prisma:graphql-playground-html:1.6.15
-
cpe:2.3:a:prisma:graphql-playground-html:1.6.17
-
cpe:2.3:a:prisma:graphql-playground-html:1.6.19
-
cpe:2.3:a:prisma:graphql-playground-html:1.6.20
-
cpe:2.3:a:prisma:graphql-playground-html:1.6.21
-
cpe:2.3:a:prisma:graphql-playground-html:1.6.3
-
cpe:2.3:a:prisma:graphql-playground-html:1.6.4
-
cpe:2.3:a:prisma:graphql-playground-html:1.6.5
-
cpe:2.3:a:prisma:graphql-playground-html:1.6.6
-
cpe:2.3:a:prisma:graphql-playground-html:1.6.8
-
cpe:2.3:a:prisma:graphql-playground-html:1.6.9
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.0.0
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.1.2
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.1.3
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.1.4
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.1.7
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.2.0
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.2.1
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.3.0
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.3.1
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.3.10
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.3.11
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.3.12
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.3.13
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.3.5
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.3.6
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.3.7
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.3.8
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.4.0
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.4.1
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.4.2
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.4.3
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.4.4
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.4.5
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.4.6
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.4.7
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.4.8
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.4.9
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.5.0
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.5.1
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.5.2
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.5.3
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.5.4
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.5.6
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.5.7
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.5.8
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.6.0
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.6.1
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.6.2
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.6.3
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.7.0
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.7.1
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.7.10
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.7.11
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.7.12
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.7.13
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.7.14
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.7.15
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.7.2
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.7.3
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.7.4
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.7.5
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.7.6
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.7.7
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.7.8
-
cpe:2.3:a:prisma:graphql-playground-middleware-express:1.7.9
-
cpe:2.3:a:prisma:graphql-playground-middleware-hapi:1.1.2
-
cpe:2.3:a:prisma:graphql-playground-middleware-hapi:1.1.3
-
cpe:2.3:a:prisma:graphql-playground-middleware-hapi:1.1.4
-
cpe:2.3:a:prisma:graphql-playground-middleware-hapi:1.2.0
-
cpe:2.3:a:prisma:graphql-playground-middleware-hapi:1.2.1
-
cpe:2.3:a:prisma:graphql-playground-middleware-hapi:1.3.0
-
cpe:2.3:a:prisma:graphql-playground-middleware-hapi:1.3.1
-
cpe:2.3:a:prisma:graphql-playground-middleware-hapi:1.3.5
-
cpe:2.3:a:prisma:graphql-playground-middleware-hapi:1.3.6
-
cpe:2.3:a:prisma:graphql-playground-middleware-hapi:1.3.7
-
cpe:2.3:a:prisma:graphql-playground-middleware-hapi:1.3.8
-
cpe:2.3:a:prisma:graphql-playground-middleware-hapi:1.4.0
-
cpe:2.3:a:prisma:graphql-playground-middleware-hapi:1.5.0
-
cpe:2.3:a:prisma:graphql-playground-middleware-hapi:1.5.1
-
cpe:2.3:a:prisma:graphql-playground-middleware-hapi:1.5.2
-
cpe:2.3:a:prisma:graphql-playground-middleware-hapi:1.6.0
-
cpe:2.3:a:prisma:graphql-playground-middleware-hapi:1.6.1
-
cpe:2.3:a:prisma:graphql-playground-middleware-hapi:1.6.10
-
cpe:2.3:a:prisma:graphql-playground-middleware-hapi:1.6.11
-
cpe:2.3:a:prisma:graphql-playground-middleware-hapi:1.6.12
-
cpe:2.3:a:prisma:graphql-playground-middleware-hapi:1.6.2
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.1.2
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.1.3
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.1.4
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.2.0
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.3.1
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.3.5
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.3.6
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.3.7
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.3.8
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.4.0
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.4.1
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.4.2
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.4.3
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.5.0
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.5.1
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.6.0
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.6.10
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.6.11
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.6.12
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.6.13
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.6.14
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.6.2
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.6.3
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.6.4
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.6.5
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.6.6
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.6.7
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.6.8
-
cpe:2.3:a:prisma:graphql-playground-middleware-koa:1.6.9
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.1.2
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.1.3
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.1.4
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.2.0
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.2.1
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.3.0
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.3.1
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.3.10
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.3.5
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.3.6
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.3.7
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.3.8
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.3.9
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.4.0
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.4.1
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.4.2
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.4.3
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.4.4
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.5.0
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.5.1
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.6.0
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.6.1
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.7.0
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.7.1
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.7.10
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.7.11
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.7.12
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.7.13
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.7.14
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.7.15
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.7.16
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.7.2
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.7.3
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.7.4
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.7.5
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.7.6
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.7.7
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.7.8
-
cpe:2.3:a:prisma:graphql-playground-middleware-lambda:1.7.9