BIT-PARSE-2022-41879 Parse Server subject to Prototype pollution via Cloud Code Webhooks

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server...

Prototype Pollution

parse-server is vulnerable to prototype pollution. A remote attacker is able to bypass the requestKeywordDenylist option via a compromised parse server cloud code webhook target endpoint, resulting in prototype pollution...

Prototype Pollution

parse-server is vulnerable to prototype pollution. A remote attacker is able to bypass the requestKeywordDenylist option via cloud code webhooks or triggers and save malicious keywords on the database by passing crafted payloads through RestWrite function...

Design/Logic Flaw

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server...

Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks

Impact A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option. Patches Improved keyword detection. Workarounds None. Collaborators Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musar...