Description
Versions prior to version v1.05 are affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version v1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version.
This is patched by implementing Double submit.
Recommendation
Update the save-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.0.5
- Patched version(s): 1.0.7
References
Related Issues
- Parse Server option `masterKeyIps` vulnerability to IP spoofing - CVE-2023-22474
- ua-parser-js Regular Expression Denial of Service vulnerability - CVE-2020-7793
- Cross-site Scripting in lightning-server - CVE-2020-7747
- Parse Server stores password in plain text - CVE-2020-26288
- Tags:
- npm
- save-server
Anything's wrong? Let us know Last updated on January 09, 2023