GHSA-236H-RQV8-8Q73 GraphQL: Security breach on Viewer query

Impact An authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object. Patches This vulnerability has been patched in Parse Server 4.3.0. Workarounds No References See commit...

GraphQL: Security breach on Viewer query

Impact An authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object. Patches This vulnerability has been patched in Parse Server 4.3.0. Workarounds No References See commit...

Information Disclosure

parse-server is vulnerable to information disclosure. An insecure regular expression parsing of the sessionToken and token$regex variables allows an attacker to discover and retrieve valid accounts, or verify and reset another user's account...

GHSA-H4MF-75HF-67W4 Information disclosure in parse-server

you can fetch all the users' objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken "SessionToken":"$regex":"r:027f" and find valid accounts this way. Using this method, it's possible to retrieve accounts without interaction from the users. GET...

Information disclosure in parse-server

you can fetch all the users' objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken "SessionToken":"$regex":"r:027f" and find valid accounts this way. Using this method, it's possible to retrieve accounts without interaction from the users. GET...

CVE-2020-5251 Information disclosure in parse-server

In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken and find valid accounts this way...

Sensitive Data Exposure

Overview Versions of parse-server prior to 3.6.0 are vulnerable to Sensitive Data Exposure. The package throws the error ParseError.ACCOUNTALREADYLINKED208 before the authentication controller throws ParseError.SESSIONMISSING206. This allows unauthenticated attackers to enumerate user account by...

Denial of Service

Overview Versions of parse-server prior to 3.4.1 are vulnerable to Denial of Service DoS. POST requests to /parse/classes/Audience or other volatile classes cause the server to respond with a 500 Internal Server Error for any subsequent POST requests. Recommendation Upgrade to version 3.4.1 or...

parse-server denial of service vulnerability

parse-server is an open source Backend-as-a-Service BaaS framework that is primarily used for application backend processing. A security vulnerability exists in parse-server versions prior to 3.4.1. An attacker can exploit this vulnerability to cause a denial of service...

Information Disclosure

parse-server is vulnerable to information disclosure. A remote attacker is able to enumerate existing accounts by analyzing the error messages from server responses...

Denial Of Service (DoS)

parse-server is vulnerable to denial of service DoS. The attack exists when a post request is made against a volatile class such as /parse/classes/Audience, returning 500 an internal server error for subsequent POST requests...

CVE-2019-1020013

parse-server before 3.6.0 allows account enumeration...

CVE-2019-1020012

parse-server before 3.4.1 allows DoS after any POST to a volatile class...

CVE-2019-1020013

parse-server before 3.6.0 allows account enumeration...

CVE-2019-1020012

parse-server before 3.4.1 allows DoS after any POST to a volatile class...

Design/Logic Flaw

parse-server before 3.4.1 allows DoS after any POST to a volatile class...

Design/Logic Flaw

parse-server before 3.6.0 allows account enumeration...

CVE-2019-1020013

parse-server before 3.6.0 allows account enumeration...

CVE-2019-1020013

CVE-2019-1020013 affects parse-server prior to 3.6.0, allowing unauthenticated users to enumerate existing accounts via error messages. The root cause is information disclosure during authentication/account linking flow, where specific errors reveal account existence (ParseError.ACCOUNT_ALREADY_L...

CVE-2019-1020012

parse-server before 3.4.1 allows DoS after any POST to a volatile class...