6928 matches found
parse-url cross-site scripting vulnerability
parse-url is an advanced url parser with git url support. A cross-site scripting vulnerability exists in parse-url versions prior to 7.0.0, which stems from the ability to run malicious JS code using ASCII characters starting with and all special escape characters starting with Unicode, which can...
@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @peterpme/parse-server-mailgun (>=2.4.8 <=2.5.11) +19 more potentially affected by CVE-2022-31112 via parse-server (>=2.0.8 <=3.10.0)
parse-server NPM version =2.0.8, =1.0.5, =2.4.8, =1.0.0, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.0, =1.0.0, =1.0.0, =1.4.0 and more Source cves: CVE-2022-31112 Source advisory: OSV:GHSA-CRRQ-VR9J-FXXH...
Protected fields exposed via LiveQuery
Impact Parse Server LiveQuery does not remove protected fields in classes, passing them to the client. Patches The LiveQueryController now removes protected fields from the client response. Workarounds Use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields. References -...
GHSA-CRRQ-VR9J-FXXH Protected fields exposed via LiveQuery
Impact Parse Server LiveQuery does not remove protected fields in classes, passing them to the client. Patches The LiveQueryController now removes protected fields from the client response. Workarounds Use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields. References -...
Regular Expression Denial of Service (ReDoS)
Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in parse-url. It allows cause a denial of service when calling function parse-url. The ReDoS vulnerability is mainly due to the regex /git@|https?://\w.@+/|:,\w,-,,/+.git0,1/0,1/ and can be...
CVE-2022-0722
A flaw was found in the parse-url package. Affected versions of this package are vulnerable to information exposure due to an improper validation issue...
[SECURITY] Fedora 36 Update: golang-github-andybalholm-cascadia-1.2.0-6.fc36
The Cascadia package implements CSS selectors for use with the parse trees produced by the html package...
The vulnerability of the parse_command_modifiers function in the Vim text editor allows a attacker to compromise the confidentiality, integrity, and accessibility of the protected information.
The vulnerability of the parsecommandmodifiers function in the Vim text editor is related to writing beyond buffer boundaries in memory. Exploiting this vulnerability could allow an attacker to compromise the confidentiality, integrity, and accessibility of the protected information...
Cross Site Scripting via Improper Input Validation (parser differential)
Description I find that parse-url parses the following URL incorrectly and identifies protocol as ssh: javascript://n.com:-4294967297/?ab=--2509999973799371216494http://user:passser:[email protected]:-4294967297/?a /parseurlfuzz$ node -e 'const parseUrl = require"parse-url";...
PT-2022-3915 · Linux +8 · Linux Kernel +8
Name of the Vulnerable Software and Affected Versions: Linux kernel versions through 5.18.9 Description: A type confusion bug in nft set elem init leading to a buffer overflow could be used by a local attacker to escalate privileges. The attacker can obtain root access, but must start with an...
GO-2022-0197 Panic when parsing certain inputs in golang.org/x/net/html
The Parse function can panic on some invalid inputs. For example, the Parse function panics on the input ""...
GO-2022-0192 Incorrect parsing of nested templates in golang.org/x/net/html
The Parse function can panic on some invalid inputs. For example, the Parse function panics on the input ""...
Protobuf-c v1.4.0 was discovered to contain an invalid arithmetic shift via the function parse_tag_and_wiretype in protobuf-c/protobuf-c.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors.
...
Information Disclosure
parse-server is vulnerable to information disclosure. A remote unauthenticated attacker is able to gain access to sensitive user information because the library does not remove protected fields in classes and passes them to the client...
CVE-2022-2217
A cross-site-scripting XSS flaw was found in the parse-url package of npm. This issue could allow an attacker to use escape characters to run malicious JavaScript code on a webpage that was generated by the affected package. The highest impact is to integrity and confidentiality...
File Protocol Spoofing
Description parse-url misinterpreting the file:// protocol when trying to match git urls. The following payload is certainly valid file protocol but is interpreted as ssh protocol. file:///etc/passwd?http://a:1:1 Proof of Concept // PoC.js const fs = require'fs'; var parseURL = require"parse-url"...
CVE-2022-31112
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client respons...
Design/Logic Flaw
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client respons...
CVE-2022-31112 Protected fields exposed via LiveQuery in parse-server
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client respons...
CVE-2022-31112 Protected fields exposed via LiveQuery in parse-server
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client respons...