CVSS: 10.0EPSS: 9%CPEs: 3EXPL: 3CVE-2022-24760 – Command Injection in Parse server
https://notcve.org/view.php?id=CVE-2022-24760
Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. • https://github.com/tuo4n8/CVE-2022-24760 https://github.com/parse-community/parse-server/commit/886bfd7cac69496e3f73d4bb536f0eec3cba0e4d https://github.com/parse-community/parse-server/security/advisories/GHSA-p6h4-93qp-jhcm https://www.huntr.dev/bounties/ac24b343-e7da-4bc7-ab38-4f4f5cc9d099 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41109 – LiveQuery publishes user session tokens
https://notcve.org/view.php?id=CVE-2021-41109
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the `Parse.User` class, all session tokens created during user sign-ups will be broadcast as part of the LiveQuery payload. A patch in version 4.10.4 removes session tokens from the LiveQuery payload. As a workaround, set `user.acl(new Parse.ACL())` in a beforeSave trigger to make the user private already on sign-up. • https://github.com/parse-community/parse-server/commit/4ac4b7f71002ed4fbedbb901db1f6ed1e9ac5559 https://github.com/parse-community/parse-server/releases/tag/4.10.4 https://github.com/parse-community/parse-server/security/advisories/GHSA-7pr3-p5fm-8r9x • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-39187 – Crash server with query parameter
https://notcve.org/view.php?id=CVE-2021-39187
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.3, Parse Server crashes when if a query request contains an invalid value for the `explain` option. This is due to a bug in the MongoDB Node.js driver which throws an exception that Parse Server cannot catch. There is a patch for this issue in version 4.10.3. No workarounds aside from upgrading are known to exist. • https://github.com/parse-community/parse-server/commit/308668c89474223e2448be92d6823b52c1c313ec https://github.com/parse-community/parse-server/releases/tag/4.10.3 https://github.com/parse-community/parse-server/security/advisories/GHSA-xqp8-w826-hh6x https://jira.mongodb.org/browse/NODE-3463 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-39138 – New anonymous user session acts as if it's created with password
https://notcve.org/view.php?id=CVE-2021-39138
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Developers can use the REST API to signup users and also allow users to login anonymously. Prior to version 4.5.1, when an anonymous user is first signed up using REST, the server creates session incorrectly. Particularly, the `authProvider` field in `_Session` class under `createdWith` shows the user logged in creating a password. If a developer later depends on the `createdWith` field to provide a different level of access between a password user and anonymous user, the server incorrectly classified the session type as being created with a `password`. • https://github.com/parse-community/parse-server/commit/147bd9a3dc43391e92c36e05d5db860b04ca27db https://github.com/parse-community/parse-server/releases/tag/4.5.1 https://github.com/parse-community/parse-server/security/advisories/GHSA-23r4-5mxp-c7g5 • CWE-287: Improper Authentication CWE-863: Incorrect Authorization •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2020-26288 – Parse Server stores password in plain text
https://notcve.org/view.php?id=CVE-2020-26288
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package "parse-server". In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage. Parse Server es un backend de código abierto que puede ser implementado en cualquier infraestructura que pueda ejecutar Node.js. • https://github.com/parse-community/parse-server/commit/da905a357d062ab4fea727a21eac231acc2ed92a https://github.com/parse-community/parse-server/releases/tag/4.5.0 https://github.com/parse-community/parse-server/security/advisories/GHSA-4w46-w44m-3jq3 https://www.npmjs.com/package/parse-server • CWE-312: Cleartext Storage of Sensitive Information •