CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
45.0%
Parse server is vulnerable to Incorrect Control Flow Implementation vulnerability. The vulnerability is caused by not invoking beforeFind
trigger when executing the Parse.Query
method in certain conditions. This can lead to access control issues when beforeFind
is used as a security layer to modify the incoming query.
docs.parseplatform.org/parse-server/guide/#security
github.com/parse-community/parse-server/commit/7f5d744ce2eea774a10ab0a8c47bd587941c7775
github.com/parse-community/parse-server/commit/be4c7e23c63a2fb690685665cebed0de26be05c5
github.com/parse-community/parse-server/releases/tag/5.5.5
github.com/parse-community/parse-server/releases/tag/6.2.2
github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9q