Lucene search
Veracode Vulnerability DatabaseVERACODE:37267HistorySep 26, 2022 - 8:41 a.m.
Authentication Bypass
2022-09-2608:41:48
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
8
authentication bypass
restwrite.js
session object
impersonate
0.001 Low
EPSS
Percentile
22.7%
parse-server is vulnerable to authentication bypass. The vulnerability exists in handleSession function in RestWrite.js which enables a foreign user to assign the session object of another user to their own by writing to the user field and impersonate the victim.
| CPE | Name | Operator | Version |
|---|---|---|---|
| parse-server | le | 5.2.5 | |
| parse-server | le | 4.10.14 | |
| parse-server | le | 5.3.0-beta.1 | |
| parse-server | le | 5.2.5 | |
| parse-server | le | 4.10.14 | |
| parse-server | le | 5.3.0-beta.1 |
References
github.com/advisories/GHSA-6w4q-23cf-j9jp
github.com/parse-community/parse-server/commit/6d0b2f534603301bb630d9c8e497af3bc7ff1d09
github.com/parse-community/parse-server/commit/7ca9ed01424478d299e5576ee4208bd9fea78760
github.com/parse-community/parse-server/pull/8182
github.com/parse-community/parse-server/pull/8183
github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp
Related
github
github
nvd
nvd
CVE-2022-39225
2022-09-23 07:15:09
osv
osv
parse-server's session object properties can be updated by foreign user if object ID is known
2022-09-21 18:32:01
CVE-2022-39225
2022-09-23 07:15:09
BIT-parse-2022-39225
2024-03-06 11:02:05
prion
prion
Session fixation
2022-09-23 07:15:00
cve
cve
CVE-2022-39225
2022-09-23 07:15:09
cvelist
cvelist