1603 matches found
CVE-2023-41058
Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The...
Information disclosure
Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The...
@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @peterpme/parse-server-mailgun (>=2.4.8 <=2.5.11) +19 more potentially affected by CVE-2023-41058 via parse-server (>=2.0.8 <=3.10.0)
parse-server NPM version =2.0.8, =1.0.5, =2.4.8, =1.0.0, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.0, =1.0.0, =1.0.0, =1.4.0 and more Source cves: CVE-2023-41058 Source advisory: OSV:GHSA-FCV6-FG5R-JM9Q...
Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer
Impact A Parse Pointer can be used to access internal Parse Server classes. It can also be used to circumvent the beforeFind query trigger which can be an additional vulnerability for deployments where the beforeFind trigger is used as a security layer to modify an incoming query. Patches The...
CVE-2023-41058 Trigger `beforeFind` not invoked in internal query pipeline in parse-server
Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The...
CVE-2023-41058 Trigger `beforeFind` not invoked in internal query pipeline in parse-server
Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The...
CVE-2023-41058
Parse Server fixed a vulnerability where the Cloud trigger beforeFind was not invoked under certain Parse.Query conditions. The issue could bypass the security layer provided by beforeFind. The fix refactored the internal query pipeline and added a patch to ensure beforeFind is invoked. The fix w...
CVE-2023-41058 Trigger `beforeFind` not invoked in internal query pipeline in parse-server
Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The...
Parse Server Security Vulnerability
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A security vulnerability exists in Parse Server version 1.0.0, which stems from the Parse Cloud trigger "beforeFind" not being called under certain conditions in "Parse.Query"...
PT-2023-27766 · Unknown · Parse Server
Name of the Vulnerable Software and Affected Versions: Parse Server versions prior to 5.5.5 Parse Server versions prior to 6.2.2 Description: The issue concerns the Parse Cloud trigger beforeFind not being invoked in certain conditions of Parse.Query. This poses a risk for deployments where the...
Parse Server transformUpdate Prototype Pollution Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Parse Server. Authentication is required to exploit this vulnerability. The specific flaw exists within the transformUpdate function. The issue results from the lack of control over modifications to...
Prototype Pollution
parse-server is vulnerable to Prototype Pollution. The vulnerability exists due to improper conditional checks in multiple functions which allows an attacker to inject and modify malicious prototypes via the MongoDB BSON parser, resulting in remote code execution...
GHSA-462X-C3JW-7VR6 Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
Impact An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. Patches Prevent prototype pollution in MongoDB database adapter. Workarounds Disable remote code execution through the MongoDB BSON parser. Credits - Discovered by hir0ot...
@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @peterpme/parse-server-mailgun (>=2.4.8 <=2.5.11) +19 more potentially affected by CVE-2023-36475 via parse-server (>=2.0.8 <=3.10.0)
parse-server NPM version =2.0.8, =1.0.5, =2.4.8, =1.0.0, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.0, =1.0.0, =1.0.0, =1.4.0 and more Source cves: CVE-2023-36475 Source advisory: OSV:GHSA-462X-C3JW-7VR6...
Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
Impact An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. Patches Prevent prototype pollution in MongoDB database adapter. Workarounds Disable remote code execution through the MongoDB BSON parser. Credits - Discovered by hir0ot...
CVE-2023-36475
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and...
CVE-2023-36475
Parse Server is affected by a prototype pollution vulnerability that enables remote code execution through the MongoDB BSON parser. The issue occurs in affected builds prior to 5.5.2 and 6.2.1, where a prototype pollution sink can be exploited to trigger RCE. A patch is available in versions 5.5....
CVE-2023-36475 Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and...
CVE-2023-36475 Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and...
CVE-2023-36475 Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and...