CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-46119 – Parse Server may crash when uploading file without extension
https://notcve.org/view.php?id=CVE-2023-46119
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patched in versions 5.5.6 and 6.3.1. Parse Server es un backend de código abierto que se puede implementar en cualquier infraestructura que pueda ejecutar Node.js. Parse Server falla al cargar un archivo sin extensión. • https://github.com/parse-community/parse-server/commit/686a9f282dc23c31beab3d93e6d21ccd0e1328fe https://github.com/parse-community/parse-server/commit/fd86278919556d3682e7e2c856dfccd5beffbfc0 https://github.com/parse-community/parse-server/releases/tag/5.5.6 https://github.com/parse-community/parse-server/releases/tag/6.3.1 https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-41058 – Trigger `beforeFind` not invoked in internal query pipeline in parse-server
https://notcve.org/view.php?id=CVE-2023-41058
Parse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeFind` is not invoked in certain conditions of `Parse.Query`. This can pose a vulnerability for deployments where the `beforeFind` trigger is used as a security layer to modify the incoming query. The vulnerability has been fixed by refactoring the internal query pipeline for a more concise code structure and implementing a patch to ensure the `beforeFind` trigger is invoked. This fix was introduced in commit `be4c7e23c6` and has been included in releases 6.2.2 and 5.5.5. • https://docs.parseplatform.org/parse-server/guide/#security https://github.com/parse-community/parse-server/commit/be4c7e23c63a2fb690685665cebed0de26be05c5 https://github.com/parse-community/parse-server/releases/tag/5.5.5 https://github.com/parse-community/parse-server/releases/tag/6.2.2 https://github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9q • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 9.8EPSS: 18%CPEs: 2EXPL: 0CVE-2023-36475 – Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
https://notcve.org/view.php?id=CVE-2023-36475
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1. Parse Server es un backend de código abierto que puede desplegarse en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 5.5.2 y 6.2.1, un atacante puede utilizar un prototipo de "pollution sink" para desencadenar una ejecución remota de código a través del analizador BSON de MongoDB. • https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90 https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f https://github.com/parse-community/parse-server/issues/8674 https://github.com/parse-community/parse-server/issues/8675 https://github.com/parse-community/parse-server/releases/tag/5.5.2 https://github.com/parse-community/parse-server/releases/tag/6.2.1 https://github.com/parse-community/parse-server/security/advisories/GHSA- • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-32689 – Parse Server vulnerable to phishing attack vulnerability that involves uploading malicious HTML file
https://notcve.org/view.php?id=CVE-2023-32689
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file to Parse Server via its public API. That HTML file would then be accessible at the internet domain at which Parse Server is hosted. The URL of the the uploaded HTML could be shared for phishing attacks. • https://github.com/parse-community/parse-server/pull/8537 https://github.com/parse-community/parse-server/pull/8538 https://github.com/parse-community/parse-server/security/advisories/GHSA-9prm-jqwx-45x9 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32688 – Invalid push request payload crashes Parse Server
https://notcve.org/view.php?id=CVE-2023-32688
parse-server-push-adapter is the official Push Notification adapter for Parse Server. The Parse Server Push Adapter can crash Parse Server due to an invalid push notification payload. This issue has been patched in version 4.1.3. • https://github.com/parse-community/parse-server-push-adapter/pull/217 https://github.com/parse-community/parse-server-push-adapter/releases/tag/4.1.3 https://github.com/parse-community/parse-server-push-adapter/security/advisories/GHSA-mxhg-rvwx-x993 • CWE-20: Improper Input Validation •