Description
Acunetix determined that it was possible to access the Hasura GraphQL API without authentication. An unauthentication attacker may use this API to perform SSRF (Server-side request forgery) attacks.
Remediation
Restrict access to the Hasura GraphQL API by setting admin secret.
References
Related Vulnerabilities
Joomla Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2018-11327)
WebLogic Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2021-40690)
WordPress Plugin Video Conferencing with Zoom Information Disclosure (3.8.16)