PT-2026-21837 · Parse · Parse-Dashboard
Mtrezza
·
Publicado
2026-02-25
·
Atualizado
2026-02-25
·
CVE-2026-27609
CVSS v4.0
8.3
Alta
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N |
Name of the Vulnerable Software and Affected Versions
Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7
Description
The Parse Dashboard AI Agent API endpoint (
POST /apps/:appId/agent) does not have Cross-Site Request Forgery (CSRF) protection. An attacker can create a malicious webpage that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim’s session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page.Recommendations
Versions 7.3.0-alpha.42 through 9.0.0-alpha.7: Remove the
agent configuration block from your dashboard configuration.Exploit
Correção
CSRF
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Parse-Dashboard