Lucene search
Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard BalliuZDI-22-1592HistoryNov 15, 2022 - 12:00 a.m.
Parse Server _expandResultOnKeyPath Prototype Pollution Remote Code Execution Vulnerability
2022-11-1500:00:00
Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu
www.zerodayinitiative.com
12
parse server
prototype pollution
remote code execution
authentication
vulnerability
object prototypes
service account
0.002 Low
EPSS
Percentile
59.7%
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Parse Server. Authentication is required to exploit this vulnerability. The specific flaw exists within the \_expandResultOnKeyPath function. The issue results from the lack of control over modifications to attributes of object prototypes. An attacker can leverage this vulnerability to execute code in the context of the service account.
Related
osv
osv
Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks
2022-11-10 13:02:35
CVE-2022-41879
2022-11-10 21:15:11
BIT-parse-2022-41879
2024-03-06 11:01:14
prion
prion
Design/Logic Flaw
2022-11-10 21:15:00
github
github
Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks
2022-11-10 13:02:35
cve
cve
CVE-2022-41879
2022-11-10 21:15:11
veracode
veracode
Prototype Pollution
2022-11-16 10:08:30
nvd
nvd
CVE-2022-41879
2022-11-10 21:15:11
cvelist
cvelist