Moumouls

Name of the Vulnerable Software and Affected Versions: Parse Server versions 5.3.0 through 7.5.3 Parse Server version 8.2.2 Description: Parse Server’s GraphQL API allowed public access to the GraphQL schema without requiring a session token or the master key in versions 5.3.0 through 7.5.3 and 8.2.2. Schema introspection reveals metadata, which can expand the potential attack surface. Recommendations: Update to Parse Server version 7.5.3 or later. Update to Parse Server version 8.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 5.5.5 Parse Server versions prior to 6.2.2 **Description** The issue concerns the Parse Cloud trigger `beforeFind` not being invoked in certain conditions of `Parse.Query`. This poses a risk for deployments where the `beforeFind` trigger is used as a security layer to modify the incoming query. The vulnerability can be exploited by using a Parse Pointer to access internal Parse Server classes or circumvent the `beforeFind` query trigger. **Recommendations** For versions prior to 5.5.5, upgrade to version 5.5.5 or later. For versions prior to 6.2.2, upgrade to version 6.2.2 or later. As a temporary workaround, consider using Parse Server's security layers, such as Class-Level Permissions and Object-Level Access Control, to manage access levels instead of custom security layers in Cloud Code triggers.

**Name of the Vulnerable Software and Affected Versions** parser-server versions 3.5.0 through 4.2.x **Description** The issue allows an authenticated user using the `viewer` GraphQL query to bypass all read security on their User object and on objects linked via relation or Pointer on their User object. This vulnerability has been patched in Parse Server 4.3.0. **Recommendations** For parser-server versions 3.5.0 through 4.2.x, update to version 4.3.0 to resolve the issue. As a temporary workaround, consider restricting access to the `viewer` GraphQL query until the patch is applied.