CLSA-2021-1635459208 Fix CVE(s): CVE-2021-25217

SECURITY UPDATE: buffer overrun in common code parseX - debian/patches/CVE-2021-25217.patch: fix incorrect order of operations in common/parse.c. - CVE-2021-25217...

Buffer overflow

NXP MCUXpresso SDK v2.7.0 was discovered to contain a buffer overflow in the function USBHostParseDeviceConfigurationDescriptor...

CVE-2021-38260

NXP MCUXpresso SDK v2.7.0 was discovered to contain a buffer overflow in the function USBHostParseDeviceConfigurationDescriptor...

CVE-2021-38260

CVE-2021-38260 affects NXP MCUXpresso SDK v2.7.0. A buffer overflow in USB_HostParseDeviceConfigurationDescriptor() could cause memory corruption. CVSSv3.1 base score 7.8 (LOCAL, LOW exploitability, LOW privileges, NONE user interaction) with HIGH impact on confidentiality, integrity, and availab...

UBUNTU-CVE-2021-42327

dplinksettingswrite in drivers/gpu/drm/amd/display/amdgpudm/amdgpudmdebugfs.c in the Linux kernel through 5.14.14 allows a heap-based buffer overflow by an attacker who can write a string to the AMD GPU display drivers debug filesystem. There are no checks on size within parsewritebufferintoparam...

GHSA-3448-VRGH-85XR NULL Pointer Dereference in OpenCV.

An issue was discovered in OpenCV before 4.1.1 OpenCV-Python before 4.1.1.26. There is a NULL pointer dereference in the function cv::XMLParser::parse at modules/core/src/persistence.cpp...

DEBIAN-CVE-2020-22679

Memory leak in the sgpdparseentry function in MP4Box in gpac 0.8.0 allows attackers to cause a denial of service DoS via a crafted input...

DEBIAN-CVE-2020-22673

Memory leak in the sencParse function in MP4Box in gpac 0.8.0 allows attackers to cause a denial of service DoS via a crafted input...

GO-2021-0113 Out-of-bounds read in golang.org/x/text/language

Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack...

LiveQuery publishes user session tokens in parse-server

Impact For regular non-LiveQuery queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the Parse.User class, all session tokens created during user sign-ups will be broadcast as part of the LiveQuery...

GHSA-7PR3-P5FM-8R9X LiveQuery publishes user session tokens in parse-server

Impact For regular non-LiveQuery queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the Parse.User class, all session tokens created during user sign-ups will be broadcast as part of the LiveQuery...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @peterpme/parse-server-mailgun (>=2.4.8 <=2.5.11) +19 more potentially affected by CVE-2021-41109 via parse-server (>=2.0.8 <=3.10.0)

parse-server NPM version =2.0.8, =1.0.5, =2.4.8, =1.0.0, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.0, =1.0.0, =1.0.0, =1.4.0 and more Source cves: CVE-2021-41109 Source advisory: OSV:GHSA-7PR3-P5FM-8R9X...

CVE-2021-41109

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular non-LiveQuery queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscriptio...

CVE-2021-41109

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular non-LiveQuery queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscriptio...

Session fixation

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular non-LiveQuery queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscriptio...

CVE-2021-41109 LiveQuery publishes user session tokens

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular non-LiveQuery queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscriptio...

CVE-2021-41109

CVE-2021-41109 refers to a vulnerability in Parse Server where, before version 4.10.4, LiveQuery payloads leaked session tokens for users with a LiveQuery subscription on the Parse.User class. The root cause is that LiveQuery payloads included session tokens while regular queries did not. The adv...

Parse Server 信息泄露漏洞

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server suffers from an information disclosure vulnerability that stems from the fact that for regular non-LiveQuery queries, session tokens are removed from the response, but not currentl...

PT-2021-23094 · Unknown · Parse Server

Name of the Vulnerable Software and Affected Versions: Parse Server versions prior to 4.10.4 Description: The issue concerns the exposure of session tokens in LiveQuery payloads for users with a LiveQuery subscription on the Parse.User class. Normally, session tokens are removed from responses fo...

aurelia path code injection vulnerability

aurelia path is part of the aurelia platform and contains utilities for path operations. A code injection vulnerability exists in aurelia path that exposes Aurelia applications that use the aurelia-path package to parse strings. No detailed vulnerability details are provided at this time...