Lucene search
K

1619 matches found

vulnersOsv
vulnersOsv
added 2022/09/21 6:32 p.m.4 views

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @peterpme/parse-server-mailgun (>=2.4.8 <=2.5.11) +19 more potentially affected by CVE-2022-39225 via parse-server (>=2.0.8 <=3.10.0)

parse-server NPM version =2.0.8, =1.0.5, =2.4.8, =1.0.0, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.0, =1.0.0, =1.0.0, =1.4.0 and more Source cves: CVE-2022-39225 Source advisory: OSV:GHSA-6W4Q-23CF-J9JP...

4.3CVSS5.8AI score0.00397EPSS
Exploits0
OSV
OSV
added 2022/09/21 6:32 p.m.23 views

GHSA-6W4Q-23CF-J9JP parse-server's session object properties can be updated by foreign user if object ID is known

Impact A foreign user can write to the session object of another user if the session object ID is known. For example, a foreign user can assign the session object to their own user by writing to the user field and then read any custom fields of that session object. Note that assigning a session t...

4.3CVSS4.1AI score0.00397EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2022/09/21 6:32 p.m.38 views

parse-server's session object properties can be updated by foreign user if object ID is known

Impact A foreign user can write to the session object of another user if the session object ID is known. For example, a foreign user can assign the session object to their own user by writing to the user field and then read any custom fields of that session object. Note that assigning a session t...

4.3CVSS4.6AI score0.00397EPSS
Exploits0References6Affected Software1
Positive Technologies
Positive Technologies
added 2022/09/21 12:0 a.m.5 views

PT-2022-24827 · Unknown · Parse Server

Name of the Vulnerable Software and Affected Versions: Parse Server versions prior to 4.10.16 Parse Server versions 5.0.0 through 5.2.6 Description: The issue concerns the validation of the authentication adapter app ID for Facebook and Spotify. In affected configurations, where the appIds is set...

3.7CVSS3.8AI score0.00427EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2022/09/21 12:0 a.m.6 views

PT-2022-24823 · Unknown · Parse Server

Name of the Vulnerable Software and Affected Versions: Parse Server versions prior to 4.10.15 Parse Server versions 5.0.0 through 5.2.5 Description: A user can write to the session object of another user if the session object ID is known. For example, an attacker can assign the session object to...

4.3CVSS3.8AI score0.00397EPSS
Exploits0References11
vulnersOsv
vulnersOsv
added 2022/09/16 9:17 p.m.3 views

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @peterpme/parse-server-mailgun (>=2.4.8 <=2.5.11) +19 more potentially affected by CVE-2022-36079 via parse-server (>=2.0.8 <=3.10.0)

parse-server NPM version =2.0.8, =1.0.5, =2.4.8, =1.0.0, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.0, =1.0.0, =1.0.0, =1.4.0 and more Source cves: CVE-2022-36079 Source advisory: OSV:GHSA-2M6G-CRV8-P3C6...

8.6CVSS7.1AI score0.00966EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2022/09/16 9:17 p.m.39 views

Parse Server vulnerable to brute force guessing of user sensitive data via search patterns

Impact Internal fields keys used internally by Parse Server, prefixed by and protected fields user defined can be used as query constraints. Internal and protected fields are removed by Parse Server from query results and are only returned to the client using a valid master key. However, using...

8.6CVSS7.3AI score0.00966EPSS
Exploits0References9Affected Software1
Veracode
Veracode
added 2022/09/08 8:23 a.m.23 views

Information Disclosure

parse-server is vulnerable to information disclosure. An unauthorized attacker is able to gain access to sensitive user information because of lack of validation in the search pattern...

8.6CVSS7.1AI score0.00966EPSS
Exploits0References9Affected Software1
NVD
NVD
added 2022/09/07 9:15 p.m.35 views

CVE-2022-36079

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields keys used internally by Parse Server, prefixed by and protected fields user defined can be used as query constraints. Internal and protected fields are removed by Parse Server a...

8.6CVSS0.00966EPSS
Exploits0References7
Prion
Prion
added 2022/09/07 9:15 p.m.12 views

Code injection

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields keys used internally by Parse Server, prefixed by and protected fields user defined can be used as query constraints. Internal and protected fields are removed by Parse Server a...

5CVSS7.4AI score0.00966EPSS
Exploits0References7Affected Software1
Cvelist
Cvelist
added 2022/09/07 8:40 p.m.49 views

CVE-2022-36079 Parse Server vulnerable to brute force guessing of user sensitive data via search patterns

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields keys used internally by Parse Server, prefixed by and protected fields user defined can be used as query constraints. Internal and protected fields are removed by Parse Server a...

8.6CVSS8.2AI score0.00966EPSS
Exploits0References7
OSV
OSV
added 2022/09/07 8:40 p.m.23 views

CVE-2022-36079 Parse Server vulnerable to brute force guessing of user sensitive data via search patterns

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields keys used internally by Parse Server, prefixed by and protected fields user defined can be used as query constraints. Internal and protected fields are removed by Parse Server a...

8.6CVSS7.7AI score0.00966EPSS
Exploits0References9
Vulnrichment
Vulnrichment
added 2022/09/07 8:40 p.m.9 views

CVE-2022-36079 Parse Server vulnerable to brute force guessing of user sensitive data via search patterns

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields keys used internally by Parse Server, prefixed by and protected fields user defined can be used as query constraints. Internal and protected fields are removed by Parse Server a...

8.6CVSS8.5AI score0.00966EPSS
Exploits0References7
CVE
CVE
added 2022/09/07 8:40 p.m.72 views

CVE-2022-36079

CVE-2022-36079 affects Parse Server. Internal/protected fields (prefixed with '_') can be used as query constraints, and before fixes users could enumerate these fields to elicit a response object. This vulnerability existed prior to patches in versions 4.10.14 and 5.2.5, which require the master...

8.6CVSS7.9AI score0.00966EPSS
Exploits0References7Affected Software1
Positive Technologies
Positive Technologies
added 2022/09/07 12:0 a.m.6 views

PT-2022-23167 · Unknown · Parse Server

Name of the Vulnerable Software and Affected Versions: Parse Server versions prior to 4.10.14 Parse Server versions prior to 5.2.5 Description: Internal fields keys used internally by Parse Server, prefixed by and protected fields user defined can be used as query constraints. These fields are...

8.6CVSS7.6AI score0.00966EPSS
Exploits0References13
CNNVD
CNNVD
added 2022/09/07 12:0 a.m.6 views

Parse Server 信息泄露漏洞

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. An information disclosure vulnerability exists in Parse Server versions prior to 4.10.14 and prior to 5.2.5, which stems from the use of query constraints that can be enumerated to guess these...

8.6CVSS7.5AI score0.00966EPSS
Exploits0References8
Check Point Advisories
Check Point Advisories
added 2022/08/15 12:0 a.m.17 views

Microsoft Windows Parse Server Prototype Pollution (CVE-2022-24760)

A prototype pollution vulnerability exists in Microsoft Windows Parse Server. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system...

7.5CVSS6.8AI score0.49081EPSS
Exploits1
BDU FSTEC
BDU FSTEC
added 2022/07/13 12:0 a.m.3 views

The vulnerability of the Apple Game Center authentication adapter allows a hacker to bypass the authentication process. This vulnerability is due to syntactic analysis by the Parse Server.

The vulnerability of the Apple Game Center authentication adapter relates to the lack of certificate verification. Exploiting this vulnerability allows a malicious actor to bypass the authentication process using a fake certificate...

8.6CVSS7.2AI score0.00804EPSS
Exploits0References7Affected Software1
vulnersOsv
vulnersOsv
added 2022/07/06 7:52 p.m.3 views

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @peterpme/parse-server-mailgun (>=2.4.8 <=2.5.11) +19 more potentially affected by CVE-2022-31112 via parse-server (>=2.0.8 <=3.10.0)

parse-server NPM version =2.0.8, =1.0.5, =2.4.8, =1.0.0, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.0, =1.0.0, =1.0.0, =1.4.0 and more Source cves: CVE-2022-31112 Source advisory: OSV:GHSA-CRRQ-VR9J-FXXH...

8.2CVSS7.2AI score0.01211EPSS
Exploits0
OSV
OSV
added 2022/07/06 7:52 p.m.22 views

GHSA-CRRQ-VR9J-FXXH Protected fields exposed via LiveQuery

Impact Parse Server LiveQuery does not remove protected fields in classes, passing them to the client. Patches The LiveQueryController now removes protected fields from the client response. Workarounds Use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields. References -...

8.2CVSS8.3AI score0.01211EPSS
Exploits0References9
Rows per page
Query Builder