Acinader

**Name of the Vulnerable Software and Affected Versions** parser-server versions prior to 4.1.0 **Description** The issue allows fetching all user objects by utilizing regex in the NoSQL query, specifically targeting the sessionToken. This can be achieved through the API endpoint "/parse/users/me" by using a regex on the `sessionToken` variable, such as `" SessionToken":{"$regex":"r:027f"}`. Additionally, similar vulnerabilities exist in the verify email and request password reset functionalities, where an attacker can use regex in the token parameter to verify an account or reset a password, for example, by accessing the endpoint `http://localhost:1337/parse/apps/kickbox/verify email?token[$regex]=a&username=some@email.com` or `http://localhost:1337/parse/apps/kickbox/request password reset?token[$regex]=a&username=some@email.com`. This method enables retrieval of accounts without user interaction. **Recommendations** For parser-server versions prior to 4.1.0, update to version 4.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the NoSQL query functionality and limiting the use of regex on the `sessionToken` variable until a patch is applied. Additionally, restrict access to the verify email and request password reset endpoints to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: parse-server versions prior to 3.6.0 Description: The issue allows for account enumeration. An attacker can guess ids and obtain information about linked accounts or email addresses. This occurs because `ParseError.ACCOUNT ALREADY LINKED(208)` is thrown before the AuthController checks the password, allowing an attacker to deduce the existence of certain accounts. Recommendations: For versions prior to 3.6.0, update to version 3.6.0 or later to resolve the issue. As a temporary workaround, consider restricting access to account linking functionality until the update is applied.

Name of the Vulnerable Software and Affected Versions: parse-server versions prior to 3.4.1 Description: The issue allows for a denial of service (DoS) after any POST request to a volatile class. If a POST request is made to a volatile class, such as "/parse/classes/ Audience", any subsequent POST requests will result in an internal server error (500). Recommendations: For versions prior to 3.4.1, update to version 3.4.1 or later. Additionally, remove the offending collection from the database to fully resolve the issue. As a temporary workaround, consider applying the patch available at https://github.com/parse-community/parse-server/commit/8709daf698ea69b59268cb66f0f7cee75b52daa5.