Headline

GHSA-93vw-8fm5-p2jf: Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks

Impact

A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option.

Patches

Improved keyword detection.

Workarounds

None.

Collaborators

Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative

2 years ago

ghsa

Open in Source

#web #git #zero_day

Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks

High severity GitHub Reviewed Published Nov 10, 2022 in parse-community/parse-server • Updated Nov 10, 2022

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server `requestKeywordDenylist` option. This issue has been patched in versions 5.3.3 and 4.10.20. There are no known workarounds.

2 years ago

CVE

Open in Source

#web #nodejs #js #zero_day