CVE-2023-22474 Parse Server is vulnerable to authentication bypass via spoofing

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header x-forwarded-for to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server wi...

Parse Server 安全漏洞

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A security vulnerability exists in Parse Server versions prior to 5.4.1, which stems from a vulnerability that allows bypassing the Parse Server masterKeyIps security mechanism by setting the...

IP Spoofing

parse-server is vulnerable to IP Spoofing Attack Via HTTP Request Header. The vulnerability exists due to the incorrect implementation of the client IP address in the parse server option masterKeyIps of the library, which sets the allowed IP address to the the x-forwarded-for header value, allowi...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @peterpme/parse-server-mailgun (>=2.4.8 <=2.5.11) +19 more potentially affected by CVE-2023-22474 via parse-server (>=2.0.8 <=3.10.0)

parse-server NPM version =2.0.8, =1.0.5, =2.4.8, =1.0.0, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.0, =1.0.0, =1.0.0, =1.4.0 and more Source cves: CVE-2023-22474 Source advisory: OSV:GHSA-VM5R-C87R-PF6X...

GHSA-VM5R-C87R-PF6X Parse Server option `masterKeyIps` vulnerability to IP spoofing

Impact Parse Server uses the request header x-forwarded-for to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server will trust the value of the header. The incorrect client IP address will be used by various feature...

Parse Server option `masterKeyIps` vulnerability to IP spoofing

Impact Parse Server uses the request header x-forwarded-for to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server will trust the value of the header. The incorrect client IP address will be used by various feature...

PT-2023-18526 · Unknown · Parse Server

Name of the Vulnerable Software and Affected Versions: Parse Server versions prior to 5.4.1 Description: The issue arises from Parse Server's use of the request header x-forwarded-for to determine the client IP address. If Parse Server is not running behind a proxy server, a client can set this...

Prototype Pollution

parse-server is vulnerable to prototype pollution. A remote attacker is able to bypass the requestKeywordDenylist option via a compromised parse server cloud code webhook target endpoint, resulting in prototype pollution...

Prototype Pollution

parse-server is vulnerable to prototype pollution. A remote attacker is able to bypass the requestKeywordDenylist option via cloud code webhooks or triggers and save malicious keywords on the database by passing crafted payloads through RestWrite function...

Parse Server buildUpdatedObject Prototype Pollution Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Parse Server. Authentication is required to exploit this vulnerability. The specific flaw exists within the buildUpdatedObject function. The issue results from the lack of control over modifications ...

Parse Server _expandResultOnKeyPath Prototype Pollution Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Parse Server. Authentication is required to exploit this vulnerability. The specific flaw exists within the \expandResultOnKeyPath function. The issue results from the lack of control over...

Parse Server transformUpdate Prototype Pollution Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Parse Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the transformUpdate function. The issue results from the lack of control over modifications...

CVE-2022-41878

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers. This will result in the...

Design/Logic Flaw

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers. This will result in the...

CVE-2022-41879

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server...

Design/Logic Flaw

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @peterpme/parse-server-mailgun (>=2.4.8 <=2.5.11) +19 more potentially affected by CVE-2022-41879 via parse-server (>=2.0.8 <=3.10.0)

parse-server NPM version =2.0.8, =1.0.5, =2.4.8, =1.0.0, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.0, =1.0.0, =1.0.0, =1.4.0 and more Source cves: CVE-2022-41879 Source advisory: OSV:GHSA-93VW-8FM5-P2JF...

GHSA-93VW-8FM5-P2JF Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks

Impact A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option. Patches Improved keyword detection. Workarounds None. Collaborators Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musar...

Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks

Impact A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option. Patches Improved keyword detection. Workarounds None. Collaborators Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musar...

Prototype Pollution

parse-server is vulnerable to Prototype Pollution. An attacker can inject properties into existing construct prototypes via the MongoDB BSON parser and modify attributes such as proto, constructor, and prototype base objects to achieve remote code execution...