Page 3 of 27 results (0.004 seconds)

CVSS: 3.7EPSS: 0%CPEs: 2EXPL: 0

CVE-2022-39231 – Parse Server subject to Improper Authentication allowing Auth adapter app ID validation to be circumvented

https://notcve.org/view.php?id=CVE-2022-39231

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for _Facebook_ and _Spotify_ may be circumvented. Configurations which allow users to authenticate using the Parse Server authentication adapter where `appIds` is set as a string instead of an array of strings authenticate requests from an app with a different app ID than the one specified in the `appIds` configuration. For this vulnerability to be exploited, an attacker needs to be assigned an app ID by the authentication provider which is a sub-set of the server-side configured app ID. This issue is patched in versions 4.10.16 and 5.2.7. • https://github.com/parse-community/parse-server/security/advisories/GHSA-r657-33vp-gp22 • CWE-287: Improper Authentication •

CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0

CVE-2022-39225 – Parse Server subject to Incorrect Resource Transfer Between Spheres

https://notcve.org/view.php?id=CVE-2022-39225

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attacker can assign the session object to their own user by writing to the `user` field and then read any custom fields of that session object. Note that assigning a session to another user does not usually change the privileges of either of the two users, and a user cannot assign their own session to another user. This issue is patched in version 4.10.15 and above, and 5.2.6 and above. • https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp • CWE-669: Incorrect Resource Transfer Between Spheres •

CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 0

CVE-2022-36079 – Parse Server vulnerable to brute force guessing of user sensitive data via search patterns

https://notcve.org/view.php?id=CVE-2022-36079

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server, prior to versions 4.10.14 or 5.2.5, returns a response object. The patch available in versions 4.10.14 and 5.2.5 requires the maser key to use internal and protected fields as query constraints. • https://github.com/parse-community/parse-server/commit/634c44acd18f6ee6ec60fac89a2b602d92799bec https://github.com/parse-community/parse-server/commit/e39d51bd329cd978589983bd659db46e1d45aad4 https://github.com/parse-community/parse-server/issues/8143 https://github.com/parse-community/parse-server/issues/8144 https://github.com/parse-community/parse-server/releases/tag/4.10.14 https://github.com/parse-community/parse-server/releases/tag/5.2.5 https://github.com/parse-community/parse-server/security/advisories/GHSA • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 8.2EPSS: 0%CPEs: 2EXPL: 0

CVE-2022-31112 – Protected fields exposed via LiveQuery in parse-server

https://notcve.org/view.php?id=CVE-2022-31112

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields. • https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1 https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6 https://github.com/parse-community/parse-server/issues/8073 https://github.com/parse-community/parse-server/pull/8074 https://github.com/parse-community/parse-server/releases/tag/5.2.4 https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

CVE-2022-31089 – Invalid file request can crashe parse-server

https://notcve.org/view.php?id=CVE-2022-31089

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions certain types of invalid files requests are not handled properly and can crash the server. If you are running multiple Parse Server instances in a cluster, the availability impact may be low; if you are running Parse Server as single instance without redundancy, the availability impact may be high. This issue has been addressed in versions 4.10.12 and 5.2.3. Users are advised to upgrade. • https://github.com/parse-community/parse-server/commit/5be375dec2fa35425c1003ae81c55995ac72af92 https://github.com/parse-community/parse-server/security/advisories/GHSA-xw6g-jjvf-wwf9 • CWE-252: Unchecked Return Value CWE-706: Use of Incorrectly-Resolved Name or Reference •