Описание
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option. This issue has been patched in versions 5.3.3 and 4.10.20. There are no known workarounds.
Ссылки
- Third Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 4.10.20 (исключая)Версия от 5.0.0 (включая) до 5.3.3 (исключая)
Одно из
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
EPSS
Процентиль: 63%
0.00438
Низкий
7.2 High
CVSS3
9.8 Critical
CVSS3
Дефекты
CWE-1321
CWE-1321
Связанные уязвимости
CVSS3: 7.2
github
около 3 лет назад
Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks
EPSS
Процентиль: 63%
0.00438
Низкий
7.2 High
CVSS3
9.8 Critical
CVSS3
Дефекты
CWE-1321
CWE-1321