22 matches found
PT-2026-37307
Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.76 Parse Server versions prior to 9.9.0-alpha.2 Description A race condition exists in the MFA SMS one-time password OTP login path. This allows two concurrent requests to the '/login' endpoint using the same...
Parse Server 安全漏洞
Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were security vulnerabilities in versions of Parse Server prior to 8.6.64 and 9.7.0-alpha.8. These vulnerabilities allowed attackers to send concurrent login...
GHSA-W73W-G5XW-RWHF Parse Server has an MFA single-use token bypass via concurrent authData login requests
Impact An attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery cod...
CVE-2026-33409
Parse Server suffers an authentication bypass on login via partial authData. Affected versions are before 8.6.52 and 9.6.0-alpha.41, where an attacker can log in as a user linked to a third‑party provider if allowExpiredAuthDataToken is true. The attacker only needs the user’s provider ID, gainin...
CVE-2026-33409 Parse Server: Auth provider validation bypass on login via partial authData
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowin...
CVE-2026-33409 Parse Server: Auth provider validation bypass on login via partial authData
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowin...
BIT-PARSE-2026-33042 Parse Server affected by empty authData bypassing credential requirement on signup
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creation of...
CVE-2026-33163
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that...
CVE-2026-33163
Summary: CVE-2026-33163 affects Parse Server’s LiveQuery afterEvent trigger. Before versions 9.6.0-alpha.35 and 8.6.50, when a class has a Parse.Cloud.afterLiveQueryEvent trigger, the LiveQuery event payload could leak protected fields and authData to subscribers of that class. The leak stems fro...
CVE-2026-33042 Parse Server affected by empty authData bypassing credential requirement on signup
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...
CVE-2026-33042 Parse Server affected by empty authData bypassing credential requirement on signup
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...
CVE-2026-33042 Parse Server affected by empty authData bypassing credential requirement on signup
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...
Parse Server 授权问题漏洞
Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. Versions of Parse Server prior to 9.6.0-alpha.29 and 8.6.49 have a licensing issue vulnerability. This vulnerability stems from an empty authData object, which can...
Weak Authentication
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Weak Authentication in the user sign up. An attacker can create authenticated sessions without providing valid credentials b...
PT-2026-25999
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...
krb5 -- Double-free in KDC TGS processing
The MIT krb5 Team reports: When issuing a ticket for a TGS renew or validate request, copy only the server field from the outer part of the header ticket to the new ticket. Copying the whole structure causes the encpart pointer to be aliased to the header ticket until krb5encrypttktpart is called...
Authentication Bypass
parse-server is vulnerable to authentication bypass. The vulnerability exists because the certificate in auth adapter is not properly validated. An attacker is able to bypass authentication checks by making a fake certificate accessible via certain Apple domains and providing the URL to that...
IBM WebSphere Application Server 8.5.5.x < 8.5.5.5 Multiple Vulnerabilities
Binary data 700047.prm...
CVE-2015-0175
IBM WebSphere Application Server WAS 8.5 Liberty Profile before 8.5.5.5 does not properly implement authData elements, which allows remote authenticated users to gain privileges via unspecified vectors...
CVE-2015-0175
IBM WebSphere Application Server WAS 8.5 Liberty Profile before 8.5.5.5 does not properly implement authData elements, which allows remote authenticated users to gain privileges via unspecified vectors...