CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-41058 – Trigger `beforeFind` not invoked in internal query pipeline in parse-server
https://notcve.org/view.php?id=CVE-2023-41058
Parse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeFind` is not invoked in certain conditions of `Parse.Query`. This can pose a vulnerability for deployments where the `beforeFind` trigger is used as a security layer to modify the incoming query. The vulnerability has been fixed by refactoring the internal query pipeline for a more concise code structure and implementing a patch to ensure the `beforeFind` trigger is invoked. This fix was introduced in commit `be4c7e23c6` and has been included in releases 6.2.2 and 5.5.5. • https://docs.parseplatform.org/parse-server/guide/#security https://github.com/parse-community/parse-server/commit/be4c7e23c63a2fb690685665cebed0de26be05c5 https://github.com/parse-community/parse-server/releases/tag/5.5.5 https://github.com/parse-community/parse-server/releases/tag/6.2.2 https://github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9q • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 9.8EPSS: 18%CPEs: 2EXPL: 0CVE-2023-36475 – Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
https://notcve.org/view.php?id=CVE-2023-36475
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1. Parse Server es un backend de código abierto que puede desplegarse en cualquier infraestructura que pueda ejecutar Node.js. Antes de las versiones 5.5.2 y 6.2.1, un atacante puede utilizar un prototipo de "pollution sink" para desencadenar una ejecución remota de código a través del analizador BSON de MongoDB. • https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90 https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f https://github.com/parse-community/parse-server/issues/8674 https://github.com/parse-community/parse-server/issues/8675 https://github.com/parse-community/parse-server/releases/tag/5.5.2 https://github.com/parse-community/parse-server/releases/tag/6.2.1 https://github.com/parse-community/parse-server/security/advisories/GHSA- • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-32689 – Parse Server vulnerable to phishing attack vulnerability that involves uploading malicious HTML file
https://notcve.org/view.php?id=CVE-2023-32689
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file to Parse Server via its public API. That HTML file would then be accessible at the internet domain at which Parse Server is hosted. The URL of the the uploaded HTML could be shared for phishing attacks. • https://github.com/parse-community/parse-server/pull/8537 https://github.com/parse-community/parse-server/pull/8538 https://github.com/parse-community/parse-server/security/advisories/GHSA-9prm-jqwx-45x9 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22474 – Parse Server is vulnerable to authentication bypass via spoofing
https://notcve.org/view.php?id=CVE-2023-22474
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header `x-forwarded-for` to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server will trust the value of the header. The incorrect client IP address will be used by various features in Parse Server. This allows to circumvent the security mechanism of the Parse Server option `masterKeyIps` by setting an allowed IP address as the `x-forwarded-for` header value. • https://github.com/parse-community/parse-server/commit/e016d813e083ce6828f9abce245d15b681a224d8 https://github.com/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x • CWE-290: Authentication Bypass by Spoofing •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-41879 – Parse Server subject to Prototype pollution via Cloud Code Webhooks
https://notcve.org/view.php?id=CVE-2022-41879
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server `requestKeywordDenylist` option. This issue has been patched in versions 5.3.3 and 4.10.20. There are no known workarounds. Parse Server es un backend de código abierto que se puede implementar en cualquier infraestructura que pueda ejecutar Node.js. • https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •