GHSA-jhgf-2h8h-ggxv

Опубликовано: 16 дек. 2025

Источник: github

Github: Прошло ревью

CVSS4: 5.3

Описание

Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables

Impact

A Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages.

Patches

The patch escapes user controlled values that are inserted into the HTML pages.

Workarounds

None.

Resources

Ссылки

Пакеты

Наименование

parse-server

npm

Затронутые версииВерсия исправления

< 8.6.1

8.6.1

Наименование

parse-server

npm

Затронутые версииВерсия исправления

>= 9.0.0, < 9.1.0-alpha.3

9.1.0-alpha.3

EPSS

Процентиль: 9%

0.00033

Низкий

5.3 Medium

CVSS4

CVE ID

CVE-2025-68115

Дефекты

CWE-79

Связанные уязвимости

CVE-2025-68115

CVSS3: 6.1

nvd

около 2 месяцев назад

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. The patch, available in versions 8.6.1 and 9.1.0-alpha.3, escapes user controlled values that are inserted into the HTML pages. No known workarounds are available.

EPSS

Процентиль: 9%

0.00033

Низкий

5.3 Medium

CVSS4

CVE ID

CVE-2025-68115

Дефекты

CWE-79