CVE-2023-32689

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 5.4.4 and 6.1.1

Description The issue involves a phishing attack vulnerability where a malicious user can upload an HTML file to Parse Server via its public API. This uploaded HTML file can then be accessed at the internet domain where Parse Server is hosted, potentially making it seem legitimate as it is served under the same domain as a company's official website. An additional security concern arises when using the Parse JavaScript SDK, which stores sessions in the browser's local storage. A malicious HTML file could contain a script to retrieve the user's session token from local storage and share it with the attacker.

Recommendations For versions prior to 5.4.4 and 6.1.1, update to version 5.4.4 or 6.1.1 to include the fix that adds a new Parse Server option fileUpload.fileExtensions to restrict file upload by file extension. It is recommended to restrict file upload for HTML file extensions, which this fix disables by default. If an app requires upload of files with HTML file extensions, the option can be set to ['.*'] or another custom value to override the default. As a temporary workaround, consider restricting access to the public API to minimize the risk of exploitation.