parse-server 输入验证错误漏洞

parse-server is an open source Backend-as-a-Service BaaS framework that is primarily used for application backend processing. A security vulnerability exists in versions prior to parse-server-push-adapter 4.1.3, which stems from an invalid push notification causing an excessive load that could...

Denial Of Services (DoS)

@parse/push-adapter is vulnerable to Denial Of Services DoS. The vulnerability exists because the library does not properly validate the push notification payload, which allows an attacker to crash the parse server by providing an invalid push notification payload...

Invalid push request payload crashes Parse Server

Impact The Parse Server Push Adapter can crash Parse Server due to an invalid push notification payload. Patches Invalid push notification payload is caught and an logged. Workarounds n/a References -...

GHSA-MXHG-RVWX-X993 Invalid push request payload crashes Parse Server

Impact The Parse Server Push Adapter can crash Parse Server due to an invalid push notification payload. Patches Invalid push notification payload is caught and an logged. Workarounds n/a References -...

@evocodes/parse-server (>=2.2.11 <=2.2.27), @m1r4ge/parse-server (>=2.2.7 <=2.2.11) +36 more potentially affected by CVE-2023-32688 via parse-server-push-adapter (>=1.0.4 <=1.3.0)

parse-server-push-adapter NPM version =1.0.4, =2.2.11, =2.2.7, =2.2.7, =0.1.7, =0.0.1, =1.0.0, =2.2.3, =2.3.8, =2.2.18-mod, =2.2.25, =2.2.17, =2.3.3 and more Source cves: CVE-2023-32688 Source advisory: OSV:GHSA-MXHG-RVWX-X993...

PT-2023-23963 · Unknown · Parse-Server-Push-Adapter

Name of the Vulnerable Software and Affected Versions: parse-server-push-adapter versions prior to 4.1.3 Description: The Parse Server Push Adapter can crash Parse Server due to an invalid push notification payload. Recommendations: For versions prior to 4.1.3, update to version 4.1.3 to resolve...

CVE-2023-22474

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header x-forwarded-for to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server wi...

Cross site request forgery (csrf)

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header x-forwarded-for to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server wi...

CVE-2023-22474 Parse Server is vulnerable to authentication bypass via spoofing

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header x-forwarded-for to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server wi...

CVE-2023-22474

Parse Server (Node.js backend) is affected by CVE-2023-22474 due to trusting the client IP from the x-forwarded-for header when not behind a proxy, allowing bypass of the masterKeyIps security check. The issue has been fixed in version 5.4.1, where IP address determination was rewritten and the t...

CVE-2023-22474 Parse Server is vulnerable to authentication bypass via spoofing

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header x-forwarded-for to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server wi...

CVE-2023-22474 Parse Server is vulnerable to authentication bypass via spoofing

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header x-forwarded-for to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server wi...

Parse Server 安全漏洞

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A security vulnerability exists in Parse Server versions prior to 5.4.1, which stems from a vulnerability that allows bypassing the Parse Server masterKeyIps security mechanism by setting the...

IP Spoofing

parse-server is vulnerable to IP Spoofing Attack Via HTTP Request Header. The vulnerability exists due to the incorrect implementation of the client IP address in the parse server option masterKeyIps of the library, which sets the allowed IP address to the the x-forwarded-for header value, allowi...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @peterpme/parse-server-mailgun (>=2.4.8 <=2.5.11) +19 more potentially affected by CVE-2023-22474 via parse-server (>=2.0.8 <=3.10.0)

parse-server NPM version =2.0.8, =1.0.5, =2.4.8, =1.0.0, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.0, =1.0.0, =1.0.0, =1.4.0 and more Source cves: CVE-2023-22474 Source advisory: OSV:GHSA-VM5R-C87R-PF6X...

GHSA-VM5R-C87R-PF6X Parse Server option `masterKeyIps` vulnerability to IP spoofing

Impact Parse Server uses the request header x-forwarded-for to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server will trust the value of the header. The incorrect client IP address will be used by various feature...

Parse Server option `masterKeyIps` vulnerability to IP spoofing

Impact Parse Server uses the request header x-forwarded-for to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server will trust the value of the header. The incorrect client IP address will be used by various feature...

PT-2023-18526 · Unknown · Parse Server

Name of the Vulnerable Software and Affected Versions: Parse Server versions prior to 5.4.1 Description: The issue arises from Parse Server's use of the request header x-forwarded-for to determine the client IP address. If Parse Server is not running behind a proxy server, a client can set this...

Prototype Pollution

parse-server is vulnerable to prototype pollution. A remote attacker is able to bypass the requestKeywordDenylist option via a compromised parse server cloud code webhook target endpoint, resulting in prototype pollution...

Prototype Pollution

parse-server is vulnerable to prototype pollution. A remote attacker is able to bypass the requestKeywordDenylist option via cloud code webhooks or triggers and save malicious keywords on the database by passing crafted payloads through RestWrite function...