parse-server is vulnerable to authentication bypass. The vulnerability exists in handleSession
function in RestWrite.js
which enables a foreign user to assign the session object of another user to their own by writing to the user
field and impersonate the victim.
CPE | Name | Operator | Version |
---|---|---|---|
parse-server | le | 5.2.5 | |
parse-server | le | 4.10.14 | |
parse-server | le | 5.3.0-beta.1 | |
parse-server | le | 5.2.5 | |
parse-server | le | 4.10.14 | |
parse-server | le | 5.3.0-beta.1 |
github.com/advisories/GHSA-6w4q-23cf-j9jp
github.com/parse-community/parse-server/commit/6d0b2f534603301bb630d9c8e497af3bc7ff1d09
github.com/parse-community/parse-server/commit/7ca9ed01424478d299e5576ee4208bd9fea78760
github.com/parse-community/parse-server/pull/8182
github.com/parse-community/parse-server/pull/8183
github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp