CVE-2023-41058 Trigger `beforeFind` not invoked in internal query pipeline in parse-server

Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The...

CVE-2023-41058

Parse Server fixed a vulnerability where the Cloud trigger beforeFind was not invoked under certain Parse.Query conditions. The issue could bypass the security layer provided by beforeFind. The fix refactored the internal query pipeline and added a patch to ensure beforeFind is invoked. The fix w...

CVE-2023-41058 Trigger `beforeFind` not invoked in internal query pipeline in parse-server

Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The...

Prototype Pollution

parse-server is vulnerable to prototype pollution. A remote attacker is able to bypass the requestKeywordDenylist option via a compromised parse server cloud code webhook target endpoint, resulting in prototype pollution...

Prototype Pollution

parse-server is vulnerable to prototype pollution. A remote attacker is able to bypass the requestKeywordDenylist option via cloud code webhooks or triggers and save malicious keywords on the database by passing crafted payloads through RestWrite function...

CVE-2022-41878

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers. This will result in the...

Design/Logic Flaw

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers. This will result in the...

Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks

Impact A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option. Patches Improved keyword detection. Workarounds None. Collaborators Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musar...

GHSA-93VW-8FM5-P2JF Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks

Impact A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option. Patches Improved keyword detection. Workarounds None. Collaborators Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musar...

CVE-2022-41879

Parse Server is affected by a prototype pollution vulnerability in Cloud Code Webhook targets. In versions prior to 5.3.3 and 4.10.20, an attacker can exploit a compromised Cloud Code Webhook endpoint to bypass the server’s requestKeywordDenylist, enabling prototype pollution with potentially hig...

PT-2022-26111 · Unknown · Parse Server

Name of the Vulnerable Software and Affected Versions: Parse Server versions prior to 5.3.3 Parse Server versions prior to 4.10.20 Description: A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server...

CVE-2022-41879 Parse Server subject to Prototype pollution via Cloud Code Webhooks

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server...

CVE-2022-41878 Parse Server Prototype pollution and Injection via Cloud Code Webhooks or Cloud Code Triggers

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers. This will result in the...

CVE-2022-41878 Parse Server Prototype pollution and Injection via Cloud Code Webhooks or Cloud Code Triggers

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers. This will result in the...

Parse Server 安全漏洞

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A security vulnerability exists in Parse Server versions prior to 4.10.19 or 5.3.2, which stems from an attacker's ability to contaminate prototypes via cloud code web hooks or cloud code...

Parse Server 安全漏洞

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A security vulnerability exists in Parse Server versions prior to 4.10.20 or 5.3.3, which stems from an attacker's ability to prototype contamination via a cloud code web hook...

CVE-2022-41878

Parse Server contains a prototype pollution vulnerability (CVE-2022-41878) where keywords defined in the requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers, allowing them to be saved to the database and bypass the denylist. Affected versions are prior to 4.10.19 or 5.3.2; ...

CVE-2022-41878 Parse Server Prototype pollution and Injection via Cloud Code Webhooks or Cloud Code Triggers

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers. This will result in the...

CVE-2022-41879 Parse Server subject to Prototype pollution via Cloud Code Webhooks

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server...

GHSA-XPRV-WVH7-QQQX Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers

Impact Keywords that are specified in the Parse Server option requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the database, bypassing the requestKeywordDenylist option. Patches Improved keyword detection. Workarounds...