Description
Phishing attack vulnerability by uploading malicious files. A malicious user could upload a HTML file to Parse Server via its public API. That HTML file would then be accessible at the internet domain at which Parse Server is hosted. The URL of the the uploaded HTML could be shared for phishing attacks.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 6.0.0, < 6.1.1 < 5.4.4** Patched version(s): **6.1.1 5.4.4**
References
Related Issues
- Parse Server may crash when uploading file without extension - CVE-2023-46119
- FUXA local file inclusion vulnerability - CVE-2023-31718
- Gatsby develop server has Local File Inclusion vulnerability - CVE-2023-34238
- Parse Server option `masterKeyIps` vulnerability to IP spoofing - CVE-2023-22474
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on November 05, 2023