CVE-2023-46119

Parse Server vulnerability CVE-2023-46119 causes crashes during file upload when no extension is provided. Affected software: Parse Server (Node.js backend). Root cause (as described in sources): crash due to handling of file uploads without an extension, leading to denial of service-like disrupt...

CVE-2023-46119 Parse Server may crash when uploading file without extension

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patched in versions 5.5.6 and 6.3.1...

CVE-2023-46119 Parse Server may crash when uploading file without extension

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patched in versions 5.5.6 and 6.3.1...

Parse Server Path Traversal Vulnerability

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A security vulnerability exists in Parse Server that stems from the application crashing when uploading files with no extension...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @peterpme/parse-server-mailgun (>=2.4.8 <=2.5.11) +19 more potentially affected by CVE-2023-46119 via parse-server (>=2.0.8 <=3.10.0)

parse-server NPM version =2.0.8, =1.0.5, =2.4.8, =1.0.0, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.0, =1.0.0, =1.0.0, =1.4.0 and more Source cves: CVE-2023-46119 Source advisory: OSV:GHSA-792Q-Q67H-W579...

GHSA-792Q-Q67H-W579 Parse Server may crash when uploading file without extension

Impact Parse Server crashes when uploading a file without extension. Patches A permanent fix has been implemented to prevent the server from crashing. Workarounds There are no known workarounds. References - GitHub security advisory:...

Parse Server may crash when uploading file without extension

Impact Parse Server crashes when uploading a file without extension. Patches A permanent fix has been implemented to prevent the server from crashing. Workarounds There are no known workarounds. References - GitHub security advisory:...

PT-2023-29852 · Unknown · Parse Server

Name of the Vulnerable Software and Affected Versions: Parse Server versions prior to 5.5.6 Parse Server versions prior to 6.3.1 Description: Parse Server crashes when uploading a file without extension. This issue has been patched in versions 5.5.6 and 6.3.1. Recommendations: For versions prior ...

Incorrect Control Flow Implementation

Parse server is vulnerable to Incorrect Control Flow Implementation vulnerability. The vulnerability is caused by not invoking beforeFind trigger when executing the Parse.Query method in certain conditions. This can lead to access control issues when beforeFind is used as a security layer to modi...

CVE-2023-41058

Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The...

Information disclosure

Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @peterpme/parse-server-mailgun (>=2.4.8 <=2.5.11) +19 more potentially affected by CVE-2023-41058 via parse-server (>=2.0.8 <=3.10.0)

parse-server NPM version =2.0.8, =1.0.5, =2.4.8, =1.0.0, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.0, =1.0.0, =1.0.0, =1.4.0 and more Source cves: CVE-2023-41058 Source advisory: OSV:GHSA-FCV6-FG5R-JM9Q...

Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer

Impact A Parse Pointer can be used to access internal Parse Server classes. It can also be used to circumvent the beforeFind query trigger which can be an additional vulnerability for deployments where the beforeFind trigger is used as a security layer to modify an incoming query. Patches The...

CVE-2023-41058 Trigger `beforeFind` not invoked in internal query pipeline in parse-server

Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The...

CVE-2023-41058 Trigger `beforeFind` not invoked in internal query pipeline in parse-server

Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The...

CVE-2023-41058 Trigger `beforeFind` not invoked in internal query pipeline in parse-server

Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The...

CVE-2023-41058

Parse Server fixed a vulnerability where the Cloud trigger beforeFind was not invoked under certain Parse.Query conditions. The issue could bypass the security layer provided by beforeFind. The fix refactored the internal query pipeline and added a patch to ensure beforeFind is invoked. The fix w...

PT-2023-27766 · Unknown · Parse Server

Name of the Vulnerable Software and Affected Versions: Parse Server versions prior to 5.5.5 Parse Server versions prior to 6.2.2 Description: The issue concerns the Parse Cloud trigger beforeFind not being invoked in certain conditions of Parse.Query. This poses a risk for deployments where the...

Parse Server Security Vulnerability

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A security vulnerability exists in Parse Server version 1.0.0, which stems from the Parse Cloud trigger "beforeFind" not being called under certain conditions in "Parse.Query"...

Parse Server transformUpdate Prototype Pollution Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Parse Server. Authentication is required to exploit this vulnerability. The specific flaw exists within the transformUpdate function. The issue results from the lack of control over modifications to...