Description
Phishing attack vulnerability by uploading malicious files. A malicious user could upload a HTML file to Parse Server via its public API. That HTML file would then be accessible at the internet domain at which Parse Server is hosted. The URL of the the uploaded HTML could be shared for phishing attacks.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 6.0.0, < 6.1.1 < 5.4.4** Patched version(s): **6.1.1 5.4.4**
References
Related Issues
- Parse Server may crash when uploading file without extension - CVE-2023-46119
- Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types - CVE-2026-31868
- webcrack has an Arbitrary File Write Vulnerability on Windows when Parsing and Saving a Malicious Bundle - CVE-2024-43373
- FUXA local file inclusion vulnerability - CVE-2023-31718
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on November 05, 2023