Advisories for Npm/@Apollo/Sandbox package

This advisory duplicates another.

A Cross-Site Request Forgery (CSRF) vulnerability was identified in Apollo’s Embedded Sandbox and Embedded Explorer. The vulnerability arises from missing origin validation in the client-side code that handles window.postMessage events. A malicious website can send forged messages to the embedding page, causing the victim’s browser to execute arbitrary GraphQL queries or mutations against their GraphQL server while authenticated with the victim’s cookies.