Session fixation

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attacker can assign th...

CVE-2022-39225 Parse Server subject to Incorrect Resource Transfer Between Spheres

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attacker can assign th...

CVE-2022-39225

Parse Server contains a vulnerability (CVE-2022-39225) where a user can write to another user’s session object if the session object ID is known, potentially reading custom fields. The issue affects older releases prior to 4.10.15 and 5.0.0–5.2.6, with patches in 4.10.15+ and 5.2.6+. Mitigation g...

CVE-2022-39225 Parse Server subject to Incorrect Resource Transfer Between Spheres

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attacker can assign th...

CVE-2022-39225 Parse Server subject to Incorrect Resource Transfer Between Spheres

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attacker can assign th...

Parse Server 安全漏洞

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A security vulnerability exists in Parse Server versions prior to 4.10.15, 5.0.0 through 5.2.6. An attacker can use this vulnerability to assign a session object to his or her own user by writi...

Parse Server 授权问题漏洞

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. An authorization issue vulnerability exists in Parse Server versions prior to 4.10.16, 5.0.0 through 5.2.7, which stems from an inability to validate the application IDs of Facebook and Spotify...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @peterpme/parse-server-mailgun (>=2.4.8 <=2.5.11) +19 more potentially affected by CVE-2022-39231 via parse-server (>=2.0.8 <=3.10.0)

parse-server NPM version =2.0.8, =1.0.5, =2.4.8, =1.0.0, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.0, =1.0.0, =1.0.0, =1.4.0 and more Source cves: CVE-2022-39231 Source advisory: OSV:GHSA-R657-33VP-GP22...

parse-server auth adapter app ID validation can be circumvented

Impact Validation of the authentication adapter app ID for Facebook and Spotify may be circumvented. This fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify and where the server-side...

GHSA-R657-33VP-GP22 parse-server auth adapter app ID validation can be circumvented

Impact Validation of the authentication adapter app ID for Facebook and Spotify may be circumvented. This fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify and where the server-side...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @peterpme/parse-server-mailgun (>=2.4.8 <=2.5.11) +19 more potentially affected by CVE-2022-39225 via parse-server (>=2.0.8 <=3.10.0)

parse-server NPM version =2.0.8, =1.0.5, =2.4.8, =1.0.0, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.0, =1.0.0, =1.0.0, =1.4.0 and more Source cves: CVE-2022-39225 Source advisory: OSV:GHSA-6W4Q-23CF-J9JP...

parse-server's session object properties can be updated by foreign user if object ID is known

Impact A foreign user can write to the session object of another user if the session object ID is known. For example, a foreign user can assign the session object to their own user by writing to the user field and then read any custom fields of that session object. Note that assigning a session t...

GHSA-6W4Q-23CF-J9JP parse-server's session object properties can be updated by foreign user if object ID is known

Impact A foreign user can write to the session object of another user if the session object ID is known. For example, a foreign user can assign the session object to their own user by writing to the user field and then read any custom fields of that session object. Note that assigning a session t...

PT-2022-24823 · Unknown · Parse Server

Name of the Vulnerable Software and Affected Versions: Parse Server versions prior to 4.10.15 Parse Server versions 5.0.0 through 5.2.5 Description: A user can write to the session object of another user if the session object ID is known. For example, an attacker can assign the session object to...

PT-2022-24827 · Unknown · Parse Server

Name of the Vulnerable Software and Affected Versions: Parse Server versions prior to 4.10.16 Parse Server versions 5.0.0 through 5.2.6 Description: The issue concerns the validation of the authentication adapter app ID for Facebook and Spotify. In affected configurations, where the appIds is set...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @peterpme/parse-server-mailgun (>=2.4.8 <=2.5.11) +19 more potentially affected by CVE-2022-36079 via parse-server (>=2.0.8 <=3.10.0)

parse-server NPM version =2.0.8, =1.0.5, =2.4.8, =1.0.0, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.0, =1.0.0, =1.0.0, =1.4.0 and more Source cves: CVE-2022-36079 Source advisory: OSV:GHSA-2M6G-CRV8-P3C6...

Parse Server vulnerable to brute force guessing of user sensitive data via search patterns

Impact Internal fields keys used internally by Parse Server, prefixed by and protected fields user defined can be used as query constraints. Internal and protected fields are removed by Parse Server from query results and are only returned to the client using a valid master key. However, using...

Information Disclosure

parse-server is vulnerable to information disclosure. An unauthorized attacker is able to gain access to sensitive user information because of lack of validation in the search pattern...

CVE-2022-36079

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields keys used internally by Parse Server, prefixed by and protected fields user defined can be used as query constraints. Internal and protected fields are removed by Parse Server a...

Code injection

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields keys used internally by Parse Server, prefixed by and protected fields user defined can be used as query constraints. Internal and protected fields are removed by Parse Server a...