Latest parseplatform parse-server Vulnerabilities

CVE-2023-46119
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patche...
Parseplatform Parse-server>=1.0.0<5.5.6
Parseplatform Parse-server>=6.0.0<6.3.1
npm/parse-server>=6.0.0<6.3.1
npm/parse-server>=1.0.0<5.5.6
CVE-2023-41058
Parse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeFind` is not invoked in certain conditions of `Parse.Query`. This can pose a vulnerability for deploy...
Parseplatform Parse-server<5.5.5
Parseplatform Parse-server>=6.0.0<6.2.2
npm/parse-server>=6.0.0<6.2.2
npm/parse-server>=1.0.0<5.5.5
CVE-2023-36475
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a r...
Parseplatform Parse-server<5.5.2
Parseplatform Parse-server>=6.0.0<6.2.1
CVE-2023-32689
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involve...
Parseplatform Parse-server<5.4.4
Parseplatform Parse-server>=6.0.0<6.1.1
npm/parse-server>=6.0.0<6.1.1
npm/parse-server<5.4.4
CVE-2023-22474
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header `x-forwarded-for` to determine the client IP address. If Pa...
Parseplatform Parse-server<5.4.1
CVE-2022-41879
### Impact A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server `requestKeywordDenylist` option. ### Patches Improv...
Parseplatform Parse-server<4.10.20
Parseplatform Parse-server>=5.0.0<5.3.3
CVE-2022-41878
### Impact Keywords that are specified in the Parse Server option `requestKeywordDenylist` can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the data...
Parseplatform Parse-server<4.10.19
Parseplatform Parse-server>=5.0.0<5.3.2
CVE-2022-39396
### Impact An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. ### Patches Prevent prototype pollution in MongoDB database adapter...
Parseplatform Parse-server<4.10.18
Parseplatform Parse-server>=5.0.0<5.3.1
CVE-2022-39313
### Impact Parse Server crashes when a file download request is received with an invalid byte range. ### Patches Improved parsing of the range parameter to properly handle invalid range requests. ...
npm/parse-server>=5.0.0<5.2.8
npm/parse-server<4.10.17
Parseplatform Parse-server<4.10.17
Parseplatform Parse-server>=5.0.0<5.2.8
CVE-2022-39231
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter a...
Parseplatform Parse-server<4.10.16
Parseplatform Parse-server>=5.0.0<5.2.7
CVE-2022-39225
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session...
Parseplatform Parse-server<4.10.15
Parseplatform Parse-server>=5.0.0<5.2.6
CVE-2022-36079
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (us...
Parseplatform Parse-server<4.10.14
Parseplatform Parse-server>=5.0.0<5.2.5
CVE-2022-31112
### Impact Parse Server LiveQuery does not remove protected fields in classes, passing them to the client. ### Patches The LiveQueryController now removes protected fields from the client response. ...
npm/parse-server>=5.0.0<5.2.4
npm/parse-server<4.10.13
Parseplatform Parse-server<4.10.13
Parseplatform Parse-server>=5.0.0<5.2.4
CVE-2022-31089
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions certain types of invalid files requests are not handled properly and can cr...
Parseplatform Parse-server<4.10.12
Parseplatform Parse-server>=5.0.0<5.2.3
CVE-2022-31083
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 4.10.11 and 5.2.2, the certificate in the Parse Server Apple Game Center auth ...
Parseplatform Parse-server<4.10.11
Parseplatform Parse-server>=5.0.0<5.2.2
CVE-2022-24901
Improper validation of the Apple certificate URL in the Apple Game Center authentication adapter allows attackers to bypass authentication, making the server vulnerable to DoS attacks. The vulnerabili...
Parseplatform Parse-server<4.10.10
Parseplatform Parse-server>=5.0.0<5.2.1
CVE-2022-24760
Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the...
Parseplatform Parse-server<4.10.7
Canonical Ubuntu Linux
Microsoft Windows
CVE-2021-39187
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.3, Parse Server crashes when if a query request contains an invalid value ...
Parseplatform Parse-server<4.10.3
CVE-2021-39138
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Developers can use the REST API to signup users and also allow users to login anonymously. Prior...
Parseplatform Parse-server<4.5.1
CVE-2020-26288
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package "parse-server". In Parse Server before version 4.5.0, user passwords involv...
Parseplatform Parse-server<4.5.0
CVE-2020-15270
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects...
Parseplatform Parse-server<=4.3.0
CVE-2020-5251
In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken and find valid accounts this way.
Parseplatform Parse-server<4.1.0
CVE-2019-1020012
parse-server before 3.4.1 allows DoS after any POST to a volatile class.
Parseplatform Parse-server<3.4.1
CVE-2019-1020013
parse-server before 3.6.0 allows account enumeration.
Parseplatform Parse-server<3.6.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203