Description
Invicti determined that it was possible to access the Hasura GraphQL API without authentication. An unauthentication attacker may use this API to perform SSRF (Server-side request forgery) attacks.
Remediation
Restrict access to the Hasura GraphQL API by setting admin secret.
References
Related Vulnerabilities
MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-4360)
Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-2158)
Joomla! Core 3.x.x Multiple Vulnerabilities (3.0.0 - 3.10.6)
Joomla Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-7859)