Lucene search
+L
ParseplatformParse-server

12 matches found

CVE
CVE
added 2022/03/11 11:55 p.m.141 views

CVE-2022-24760

The set of connected sources confirms CVE-2022-24760 is a real vulnerability in Parse Server (pre-4.10.7) caused by prototype pollution in DatabaseController.js, enabling Remote Code Execution with default MongoDB configurations on Linux/Windows. Impact is described as RCE (high severity) with a ...

10CVSS9.5AI score0.49081EPSS
CVE
CVE
added 2022/11/10 12:0 a.m.140 views

CVE-2022-39396

Parse Server is vulnerable to Remote Code Execution via prototype pollution in the MongoDB BSON parser. Affected are versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch. The issue is fixed in 4.10.18 and in 5.3.1; there are no known workarounds."

9.8CVSS9.8AI score0.38717EPSS
CVE
CVE
added 2022/05/04 1:10 a.m.133 views

CVE-2022-24901

CVE-2022-24901 describes an authentication bypass and potential denial of service in the Apple Game Center authentication adapter used by parse-server. The root cause is improper validation of the Apple certificate URL, enabling bypassing authentication and exposing the server to DoS. The publish...

7.5CVSS7.2AI score0.00639EPSS
CVE
CVE
added 2022/09/23 6:40 a.m.110 views

CVE-2022-39225

Parse Server contains a vulnerability (CVE-2022-39225) where a user can write to another user’s session object if the session object ID is known, potentially reading custom fields. The issue affects older releases prior to 4.10.15 and 5.0.0–5.2.6, with patches in 4.10.15+ and 5.2.6+. Mitigation g...

4.3CVSS4AI score0.00408EPSS
CVE
CVE
added 2022/06/17 6:15 p.m.107 views

CVE-2022-31083

Parse Server vulnerability CVE-2022-31083 affects the Apple Game Center auth adapter. Prior to versions 4.10.11 and 5.2.2, the certificate in this adapter was not validated, potentially allowing authentication bypass by supplying a forged certificate via certain Apple domains and an authData URL....

8.6CVSS7.4AI score0.00824EPSS
CVE
CVE
added 2022/06/27 9:10 p.m.103 views

CVE-2022-31089

CVE-2022-31089 affects Parse Server (Node.js backend). The vulnerability arises from improper handling of certain invalid file requests, which can crash the server. Impact: availability can be high for a single instance, lower for clustered setups. The issue has been fixed in versions 4.10.12 and...

7.5CVSS7.4AI score0.01075EPSS
CVE
CVE
added 2022/11/10 12:0 a.m.92 views

CVE-2022-41878

Parse Server contains a prototype pollution vulnerability (CVE-2022-41878) where keywords defined in the requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers, allowing them to be saved to the database and bypass the denylist. Affected versions are prior to 4.10.19 or 5.3.2; ...

9.8CVSS8AI score0.00875EPSS
CVE
CVE
added 2022/06/30 4:40 p.m.89 views

CVE-2022-31112

Parse Server LiveQuery vulnerability (CVE-2022-31112): protected fields in classes were exposed to clients because LiveQueryController failed to strip them. The issue affects Parse Server LiveQuery; the fix is implemented by removing protected fields from client responses in the updated controlle...

8.2CVSS8.1AI score0.01239EPSS
CVE
CVE
added 2022/10/24 12:0 a.m.76 views

CVE-2022-39313

Parse Server is affected by a Denial of Service when handling a file download request with an invalid byte range. The issue occurs in versions prior to 4.10.17 and, on the 5.x branch, prior to 5.2.8, where such requests crash the server. Patches are available in v4.10.17 and v5.2.8. No workaround...

7.5CVSS7.4AI score0.00689EPSS
CVE
CVE
added 2022/09/07 8:40 p.m.75 views

CVE-2022-36079

CVE-2022-36079 affects Parse Server. Internal/protected fields (prefixed with '_') can be used as query constraints, and before fixes users could enumerate these fields to elicit a response object. This vulnerability existed prior to patches in versions 4.10.14 and 5.2.5, which require the master...

8.6CVSS7.9AI score0.01002EPSS
CVE
CVE
added 2022/11/10 12:0 a.m.70 views

CVE-2022-41879

Parse Server is affected by a prototype pollution vulnerability in Cloud Code Webhook targets. In versions prior to 5.3.3 and 4.10.20, an attacker can exploit a compromised Cloud Code Webhook endpoint to bypass the server’s requestKeywordDenylist, enabling prototype pollution with potentially hig...

9.8CVSS8.2AI score0.00809EPSS
CVE
CVE
added 2022/09/23 7:40 a.m.67 views

CVE-2022-39231

Parse Server vulnerable versions prior to 4.10.16 and 5.0.0–5.2.6 expose an authentication bypass flaw in the Facebook/Spotify adapters where appIds configured as a string (instead of an array) can let requests from a different app ID slip through. The root cause is improper validation of the ada...

3.7CVSS3.9AI score0.00439EPSS