Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-41879: Prototype pollution via Cloud Code Webhooks

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option. This issue has been patched in versions 5.3.3 and 4.10.20. There are no known workarounds.

CVE
Open in Source
#web#nodejs#js#zero_day

Package

npm parse-server (npm)

Affected versions

(<4.10.20) || (>=5.0.0 <5.3.3)

Patched versions

(>=4.10.20 <5.0.0) || (>=5.3.3)

Description

Impact

A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option.

Patches

Improved keyword detection.

Workarounds

None.

Collaborators

Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative

References

  • GHSA-93vw-8fm5-p2jf

Related news

GHSA-93vw-8fm5-p2jf: Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks

### Impact A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server `requestKeywordDenylist` option. ### Patches Improved keyword detection. ### Workarounds None. ### Collaborators Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE