Philippe Tranca

**Name of the Vulnerable Software and Affected Versions** ezplatform-graphql versions prior to 1.0.13 ezplatform-graphql versions prior to 2.3.12 **Description** The issue concerns the exposure of password hashes of users who have created or modified content, typically administrators and editors, through unauthenticated GraphQL queries for user accounts. This is due to insecure storage of sensitive information. **Recommendations** For versions prior to 1.0.13, update to version 1.0.13 to resolve the issue. For versions prior to 2.3.12, update to version 2.3.12 to resolve the issue. As a temporary workaround for users unable to upgrade, consider removing the `passwordHash` entry from `src/bundle/Resources/config/graphql/User.types.yaml` in the GraphQL package, and other properties like `hash type`, `email`, `login` if preferred.