CVE-2022-39313

Parse Server is affected by a Denial of Service when handling a file download request with an invalid byte range. The issue occurs in versions prior to 4.10.17 and, on the 5.x branch, prior to 5.2.8, where such requests crash the server. Patches are available in v4.10.17 and v5.2.8. No workaround...

CVE-2022-39313 Parse Server crashes when receiving file download request with invalid byte range

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.17, and prior to 5.2.8 on the 5.x branch, crash when a file download request is received with an invalid byte range, resulting in a Denial of Service. This issue has been...

CVE-2022-39313 Parse Server crashes when receiving file download request with invalid byte range

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.17, and prior to 5.2.8 on the 5.x branch, crash when a file download request is received with an invalid byte range, resulting in a Denial of Service. This issue has been...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @peterpme/parse-server-mailgun (>=2.4.8 <=2.5.11) +19 more potentially affected by CVE-2022-39313 via parse-server (>=2.0.8 <=3.10.0)

parse-server NPM version =2.0.8, =1.0.5, =2.4.8, =1.0.0, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.0, =1.0.0, =1.0.0, =1.4.0 and more Source cves: CVE-2022-39313 Source advisory: OSV:GHSA-H423-W6QV-2WJ3...

parse-server crashes when receiving file download request with invalid byte range

Impact Parse Server crashes when a file download request is received with an invalid byte range. Patches Improved parsing of the range parameter to properly handle invalid range requests. Workarounds None References - GHSA-h423-w6qv-2wj3...

PT-2022-24895 · Unknown · Parse Server

Name of the Vulnerable Software and Affected Versions: Parse Server versions prior to 4.10.17 Parse Server versions prior to 5.2.8 on the 5.x branch Description: The issue occurs when a file download request is received with an invalid byte range, causing the server to crash and resulting in a...

Authentication Bypass

parse-server is vulnerable to authentication bypass. The vulnerability exists in validateAppId function in facebook.js and spotify.js because the appIds in server-side authentication adapter configuration is set as a string which allows an attacker to send requests from different appIds and get...

CVE-2022-39231

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for Facebook and Spotify may be circumvented. Configurations which allow users to...

Authentication flaw

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for Facebook and Spotify may be circumvented. Configurations which allow users to...

CVE-2022-39231 Parse Server subject to Improper Authentication allowing Auth adapter app ID validation to be circumvented

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for Facebook and Spotify may be circumvented. Configurations which allow users to...

CVE-2022-39231

Parse Server vulnerable versions prior to 4.10.16 and 5.0.0–5.2.6 expose an authentication bypass flaw in the Facebook/Spotify adapters where appIds configured as a string (instead of an array) can let requests from a different app ID slip through. The root cause is improper validation of the ada...

CVE-2022-39231 Parse Server subject to Improper Authentication allowing Auth adapter app ID validation to be circumvented

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for Facebook and Spotify may be circumvented. Configurations which allow users to...

CVE-2022-39231 Parse Server subject to Improper Authentication allowing Auth adapter app ID validation to be circumvented

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for Facebook and Spotify may be circumvented. Configurations which allow users to...

CVE-2022-39225

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attacker can assign th...

Session fixation

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attacker can assign th...

CVE-2022-39225 Parse Server subject to Incorrect Resource Transfer Between Spheres

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attacker can assign th...

CVE-2022-39225

Parse Server contains a vulnerability (CVE-2022-39225) where a user can write to another user’s session object if the session object ID is known, potentially reading custom fields. The issue affects older releases prior to 4.10.15 and 5.0.0–5.2.6, with patches in 4.10.15+ and 5.2.6+. Mitigation g...

CVE-2022-39225 Parse Server subject to Incorrect Resource Transfer Between Spheres

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attacker can assign th...

CVE-2022-39225 Parse Server subject to Incorrect Resource Transfer Between Spheres

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attacker can assign th...

Parse Server 安全漏洞

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A security vulnerability exists in Parse Server versions prior to 4.10.15, 5.0.0 through 5.2.6. An attacker can use this vulnerability to assign a session object to his or her own user by writi...