Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers
- Severity:
- High
Description
Keywords that are specified in the Parse Server option requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the database, bypassing the requestKeywordDenylist option.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0, < 5.3.2 < 4.10.19** Patched version(s): **5.3.2 4.10.19**
References
Related Issues
- Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks - CVE-2022-41879
- Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution - CVE-2023-36475
- Remote code execution via MongoDB BSON parser through prototype pollution - CVE-2022-39396
- Parse Server vulnerable to brute force guessing of user sensitive data via search patterns - CVE-2022-36079
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on August 21, 2023