Description
Phishing attack vulnerability by uploading malicious files. A malicious user could upload a HTML file to Parse Server via its public API. That HTML file would then be accessible at the internet domain at which Parse Server is hosted. The URL of the the uploaded HTML could be shared for phishing attacks.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 6.0.0, < 6.1.1 < 5.4.4** Patched version(s): **6.1.1 5.4.4**
References
Related Issues
- Parse Server exposes the data schema via GraphQL API - CVE-2025-53364
- Improper Verification of Cryptographic Signature in node-forge - CVE-2022-24772
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Remote Code Execution on click of <a> Link in markdown preview - CVE-2024-49362
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on November 05, 2023