CVE-2022-39231 Parse Server subject to Improper Authentication allowing Auth adapter app ID validation to be circumvented

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for Facebook and Spotify may be circumvented. Configurations which allow users to...

CVE-2022-39231

Parse Server vulnerable versions prior to 4.10.16 and 5.0.0–5.2.6 expose an authentication bypass flaw in the Facebook/Spotify adapters where appIds configured as a string (instead of an array) can let requests from a different app ID slip through. The root cause is improper validation of the ada...

CVE-2022-39231 Parse Server subject to Improper Authentication allowing Auth adapter app ID validation to be circumvented

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for Facebook and Spotify may be circumvented. Configurations which allow users to...

CVE-2022-39225

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attacker can assign th...

Session fixation

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attacker can assign th...

CVE-2022-39225 Parse Server subject to Incorrect Resource Transfer Between Spheres

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attacker can assign th...

CVE-2022-39225

Parse Server contains a vulnerability (CVE-2022-39225) where a user can write to another user’s session object if the session object ID is known, potentially reading custom fields. The issue affects older releases prior to 4.10.15 and 5.0.0–5.2.6, with patches in 4.10.15+ and 5.2.6+. Mitigation g...

CVE-2022-39225 Parse Server subject to Incorrect Resource Transfer Between Spheres

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attacker can assign th...

CVE-2022-39225 Parse Server subject to Incorrect Resource Transfer Between Spheres

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attacker can assign th...

Parse Server 安全漏洞

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A security vulnerability exists in Parse Server versions prior to 4.10.15, 5.0.0 through 5.2.6. An attacker can use this vulnerability to assign a session object to his or her own user by writi...

Parse Server 授权问题漏洞

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. An authorization issue vulnerability exists in Parse Server versions prior to 4.10.16, 5.0.0 through 5.2.7, which stems from an inability to validate the application IDs of Facebook and Spotify...

PT-2022-37297 · Libraw · Libraw

Name of the Vulnerable Software and Affected Versions: LibRaw affected versions not specified Description: The issue is related to an index-out-of-bounds crash. Technical details about the crash include the parse tiff ifd function, the parse tiff function, and the identify function...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @peterpme/parse-server-mailgun (>=2.4.8 <=2.5.11) +19 more potentially affected by CVE-2022-39231 via parse-server (>=2.0.8 <=3.10.0)

parse-server NPM version =2.0.8, =1.0.5, =2.4.8, =1.0.0, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.0, =1.0.0, =1.0.0, =1.4.0 and more Source cves: CVE-2022-39231 Source advisory: OSV:GHSA-R657-33VP-GP22...

GHSA-R657-33VP-GP22 parse-server auth adapter app ID validation can be circumvented

Impact Validation of the authentication adapter app ID for Facebook and Spotify may be circumvented. This fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify and where the server-side...

parse-server auth adapter app ID validation can be circumvented

Impact Validation of the authentication adapter app ID for Facebook and Spotify may be circumvented. This fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify and where the server-side...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @peterpme/parse-server-mailgun (>=2.4.8 <=2.5.11) +19 more potentially affected by CVE-2022-39225 via parse-server (>=2.0.8 <=3.10.0)

parse-server NPM version =2.0.8, =1.0.5, =2.4.8, =1.0.0, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.0, =1.0.0, =1.0.0, =1.4.0 and more Source cves: CVE-2022-39225 Source advisory: OSV:GHSA-6W4Q-23CF-J9JP...

parse-server's session object properties can be updated by foreign user if object ID is known

Impact A foreign user can write to the session object of another user if the session object ID is known. For example, a foreign user can assign the session object to their own user by writing to the user field and then read any custom fields of that session object. Note that assigning a session t...

GHSA-6W4Q-23CF-J9JP parse-server's session object properties can be updated by foreign user if object ID is known

Impact A foreign user can write to the session object of another user if the session object ID is known. For example, a foreign user can assign the session object to their own user by writing to the user field and then read any custom fields of that session object. Note that assigning a session t...

PT-2022-37291 · Git +1 · File

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided description. Description: A heap-buffer-overflow read crash has been reported. The crash involves the following functions: file magwarn, parse strength, and load 1. No information...

PT-2022-24823 · Unknown · Parse Server

Name of the Vulnerable Software and Affected Versions: Parse Server versions prior to 4.10.15 Parse Server versions 5.0.0 through 5.2.5 Description: A user can write to the session object of another user if the session object ID is known. For example, an attacker can assign the session object to...