Описание
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. The patch, available in versions 8.6.1 and 9.1.0-alpha.3, escapes user controlled values that are inserted into the HTML pages. No known workarounds are available.
Ссылки
- Issue TrackingPatch
- Issue TrackingPatch
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 8.6.1 (исключая)
Одно из
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.0.0:-:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.0.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.0.0:alpha10:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.0.0:alpha11:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.0.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.0.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.0.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.0.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.0.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.0.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.0.0:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.0.0:alpha9:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.1.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.1.0:alpha2:*:*:*:node.js:*:*
EPSS
Процентиль: 8%
0.0003
Низкий
6.1 Medium
CVSS3
Дефекты
CWE-79
Связанные уязвимости
github
около 2 месяцев назад
Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables
EPSS
Процентиль: 8%
0.0003
Низкий
6.1 Medium
CVSS3
Дефекты
CWE-79