CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-47183 – Parse Server's custom object ID allows to acquire role privileges
https://notcve.org/view.php?id=CVE-2024-47183
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. This vulnerability is fixed in 6.5.9 and 7.3.0. • https://github.com/parse-community/parse-server/security/advisories/GHSA-8xq9-g7ch-35hg https://github.com/parse-community/parse-server/pull/9317 https://github.com/parse-community/parse-server/pull/9318 https://github.com/parse-community/parse-server/commit/13ee52f0d19ef3a3524b3d79aea100e587eb3cfc https://github.com/parse-community/parse-server/commit/1bfbccf9ee7ea77533b2b2aa7c4c69f3bd35e66f • CWE-285: Improper Authorization •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-39309 – ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-39309
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection has been improved in versions 6.5.7 and 7.1.0. No known workarounds are available. Parse Server es un backend de código abierto que se puede implementar en cualquier infraestructura que pueda ejecutar Node.js. • https://github.com/parse-community/parse-server/commit/2edf1e4c0363af01e97a7fbc97694f851b7d1ff3 https://github.com/parse-community/parse-server/commit/f332d54577608c5ad927255e06d8c694e2e0ff5b https://github.com/parse-community/parse-server/pull/9167 https://github.com/parse-community/parse-server/pull/9168 https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-29027 – Parse Server crash and RCE via invalid Cloud Function or Cloud Job name
https://notcve.org/view.php?id=CVE-2024-29027
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal store manipulation or remote code execution. The patch in versions 6.5.5 and 7.0.0-alpha.29 added string sanitation for Cloud Function name and Cloud Job name. As a workaround, sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server. Parse Server es un backend de código abierto que se puede implementar en cualquier infraestructura que pueda ejecutar Node.js. • https://github.com/parse-community/parse-server/commit/5ae6d6a36d75c4511029f0ba5673ae4b2999179b https://github.com/parse-community/parse-server/commit/9f6e3429d3b326cf4e2994733c618d08032fac6e https://github.com/parse-community/parse-server/releases/tag/6.5.5 https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29 https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-27298 – Parse Server literalizeRegexPart SQL Injection
https://notcve.org/view.php?id=CVE-2024-27298
parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Parse Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the literalizeRegexPart function. • https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504 https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833 https://github.com/parse-community/parse-server/releases/tag/6.5.0 https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20 https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-46119 – Parse Server may crash when uploading file without extension
https://notcve.org/view.php?id=CVE-2023-46119
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patched in versions 5.5.6 and 6.3.1. Parse Server es un backend de código abierto que se puede implementar en cualquier infraestructura que pueda ejecutar Node.js. Parse Server falla al cargar un archivo sin extensión. • https://github.com/parse-community/parse-server/commit/686a9f282dc23c31beab3d93e6d21ccd0e1328fe https://github.com/parse-community/parse-server/commit/fd86278919556d3682e7e2c856dfccd5beffbfc0 https://github.com/parse-community/parse-server/releases/tag/5.5.6 https://github.com/parse-community/parse-server/releases/tag/6.3.1 https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •