Description
Acunetix determined that it was possible to access the Hasura GraphQL API without authentication. An unauthentication attacker may use this API to perform SSRF (Server-side request forgery) attacks.
Remediation
Restrict access to the Hasura GraphQL API by setting admin secret.
References
Related Vulnerabilities
WordPress Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-3126)
DWR Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-5325)
Joomla! Core 1.5.x Information Disclosure (1.5.0 - 1.5.14)
WordPress Plugin Gmail SMTP Arbitrary File Disclosure (1.1.0)
WordPress Plugin Doneren met Mollie Information Disclosure (2.8.4)