parse-server is vulnerable to prototype pollution. A remote attacker is able to bypass the requestKeywordDenylist
option via a compromised parse server cloud code webhook target endpoint, resulting in prototype pollution.
CPE | Name | Operator | Version |
---|---|---|---|
parse-server | le | 5.3.2 | |
parse-server | le | 4.10.19 | |
parse-server | le | 5.3.2 | |
parse-server | le | 4.10.19 |
github.com/parse-community/parse-server/commit/60c5a73d257e0d536056b38bdafef8b7130524d8
github.com/parse-community/parse-server/commit/6c63f04ba37174021082a5b5c4ba1556dcc954f4
github.com/parse-community/parse-server/pull/8306
github.com/parse-community/parse-server/releases/tag/4.10.20
github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf