VYPR

Parse Server

by Parse Community

Source repositories

CVEs (102)

  • CVE-2023-22474Feb 3, 2023
    risk 0.00cvss epss 0.01

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header `x-forwarded-for` to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header…

  • CVE-2022-41879Nov 10, 2022
    risk 0.00cvss epss 0.01

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server…

  • CVE-2022-39396Nov 10, 2022
    risk 0.00cvss epss 0.39

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code Execution via prototype pollution. An attacker can use this prototype pollution…

  • CVE-2022-41878Nov 10, 2022
    risk 0.00cvss epss 0.01

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option `requestKeywordDenylist` can be injected via Cloud Code Webhooks or Triggers.…

  • CVE-2022-39313Oct 24, 2022
    risk 0.00cvss epss 0.01

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.17, and prior to 5.2.8 on the 5.x branch, crash when a file download request is received with an invalid byte range, resulting in a Denial of Service.…

  • CVE-2022-39231Sep 23, 2022
    risk 0.00cvss epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for _Facebook_ and _Spotify_ may be circumvented. Configurations which…

  • CVE-2022-39225Sep 23, 2022
    risk 0.00cvss epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an…

  • CVE-2022-36079Sep 7, 2022
    risk 0.00cvss epss 0.01

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are…

  • CVE-2022-31112Jun 30, 2022
    risk 0.00cvss epss 0.01

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from…

  • CVE-2022-31089Jun 27, 2022
    risk 0.00cvss epss 0.01

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions certain types of invalid files requests are not handled properly and can crash the server. If you are running multiple Parse Server instances in a…

  • CVE-2022-31083Jun 17, 2022
    risk 0.00cvss epss 0.01

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 4.10.11 and 5.2.2, the certificate in the Parse Server Apple Game Center auth adapter not validated. As a result, authentication could potentially be…

  • CVE-2022-24901May 4, 2022
    risk 0.00cvss epss 0.01

    Improper validation of the Apple certificate URL in the Apple Game Center authentication adapter allows attackers to bypass authentication, making the server vulnerable to DoS attacks. The vulnerability has been fixed by improving the URL validation and adding additional checks…

  • CVE-2022-24760Mar 11, 2022
    risk 0.00cvss epss 0.49

    Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the…

  • CVE-2021-41109Sep 30, 2021
    risk 0.00cvss epss 0.01

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a…

  • CVE-2021-39187Sep 2, 2021
    risk 0.00cvss epss 0.02

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.3, Parse Server crashes when if a query request contains an invalid value for the `explain` option. This is due to a bug in the MongoDB Node.js driver…

  • CVE-2021-39138Aug 18, 2021
    risk 0.00cvss epss 0.01

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Developers can use the REST API to signup users and also allow users to login anonymously. Prior to version 4.5.1, when an anonymous user is first signed up using REST, the…

  • CVE-2020-26288Dec 30, 2020
    risk 0.00cvss epss 0.01

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package "parse-server". In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version…

  • CVE-2020-15270Oct 22, 2020
    risk 0.00cvss epss 0.01

    Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session…

  • CVE-2020-15126Jul 22, 2020
    risk 0.00cvss epss 0.01

    In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object.

  • CVE-2020-5251Mar 4, 2020
    risk 0.00cvss epss 0.01

    In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken and find valid accounts this way.

Page 5 of 6