Spbavarva

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 8.6.60 Parse Server versions prior to 9.6.0-alpha.54 **Description** An attacker with a user's password and a valid multi-factor authentication (MFA) recovery code can reuse the recovery code an unlimited number of times by sending concurrent login requests. This circumvents the intended single-use functionality of recovery codes. The attack requires the user's password, a valid recovery code, and the ability to send requests rapidly. The issue stems from a lack of proper handling of single-use tokens during login attempts. The login handler did not employ optimistic locking when updating authentication data containing consumed single-use tokens, allowing concurrent requests to bypass the single-use restriction. **Recommendations** Update to Parse Server version 8.6.60 or later. Update to Parse Server version 9.6.0-alpha.54 or later.

**Name of the Vulnerable Software and Affected Versions** Statamic versions prior to 5.73.14 Statamic versions prior to 6.7.0 **Description** Statamic is a Laravel and Git powered content management system (CMS). Authenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the `filename` configuration parameter in the file dictionary's fieldtype endpoint. The issue occurs through the manipulation of the `filename` parameter within the API endpoint used by the file dictionary fieldtype. **Recommendations** Update to Statamic version 5.73.14 or later. Update to Statamic version 6.7.0 or later.