Mtrezza

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 8.6.66 Parse Server versions prior to 9.7.0-alpha.10 **Description** Parse Server, an open source backend deployable on Node.js infrastructures, has an issue where the GraphQL API endpoint does not enforce the `allowOrigin` server option, unconditionally allowing cross-origin requests from any website. This bypasses origin restrictions configured by operators to control website interactions with the Parse Server API. The REST API correctly enforces the configured `allowOrigin` restriction. The issue affects the ''/graphql'' API endpoint. **Recommendations** Upgrade to Parse Server version 8.6.66 or later. Upgrade to Parse Server version 9.7.0-alpha.10 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 8.6.65 Parse Server versions prior to 9.7.0-alpha.9 **Description** Parse Server, an open source backend deployable on Node.js infrastructures, is affected by an issue where sensitive data can leak to unauthorized clients or incomplete data can be received by authorized clients when multiple clients subscribe to the same class via LiveQuery. This occurs because event handlers process subscribers concurrently using shared mutable objects, and the sensitive data filter modifies these objects in-place. Additionally, modifications from one subscriber's afterEvent Cloud Code trigger can leak to other subscribers through the same shared mutable state. Any deployment utilizing LiveQuery with protected fields or afterEvent triggers is potentially affected. **Recommendations** Parse Server versions prior to 8.6.65 should be updated to version 8.6.65 or later. Parse Server versions prior to 9.7.0-alpha.9 should be updated to version 9.7.0-alpha.9 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 8.6.61 Parse Server versions prior to 9.6.0-alpha.55 **Description** Parse Server is an open source backend deployable on Node.js infrastructures. An authenticated user calling the `GET /users/me` API endpoint receives unsanitized authentication data, which includes sensitive credentials like MFA TOTP secrets and recovery codes. The endpoint utilizes master-level authentication for session queries, and this master context leaks into user data, circumventing auth adapter sanitization. An attacker with a user's session token can extract MFA secrets and generate valid TOTP codes indefinitely. **Recommendations** Update to Parse Server version 8.6.61 or later. Update to Parse Server version 9.6.0-alpha.55 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 8.6.59 Parse Server versions prior to 9.6.0-alpha.53 **Description** Parse Server, an open source backend deployable on Node.js infrastructure, contains a flaw where an attacker possessing master key access can execute arbitrary SQL statements on a PostgreSQL database. This is achieved by injecting SQL metacharacters into field name parameters within the aggregate `$group` pipeline stage or the `distinct` operation. Successful exploitation allows for privilege escalation, granting the attacker PostgreSQL database-level access from their existing Parse Server application-level administrator privileges. Deployments utilizing MongoDB are not impacted by this issue. The vulnerability stems from insufficient validation of field names in the aggregate `$group. id` object values and `distinct` dot-notation parameters, allowing for SQL injection through the `:raw` interpolation used in the PostgreSQL storage adapter. **Recommendations** Upgrade to Parse Server version 8.6.59 or later. Upgrade to Parse Server version 9.6.0-alpha.53 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 8.6.58 Parse Server versions prior to 9.6.0-alpha.52 **Description** An unauthenticated attacker can cause a denial of service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request. Because no database index exists for unconfigured providers, each request triggers a full collection scan on the user database, which can be parallelized to saturate database resources. **Recommendations** Upgrade to Parse Server version 8.6.58 or later. Upgrade to Parse Server version 9.6.0-alpha.52 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 9.6.0-alpha.35 Parse Server versions prior to 8.6.50 **Description** Parse Server is an open source backend deployable on Node.js infrastructures. When a `Parse.Cloud.afterLiveQueryEvent` trigger is registered for a class, the LiveQuery server unintentionally exposes protected fields and `authData` to all subscribers of that class. Class-Level Permissions (`protectedFields`) are not correctly enforced in LiveQuery event payloads for create, update, delete, enter, and leave events. Users with appropriate permissions can access sensitive data of other users, including personal information and OAuth tokens. This issue stems from a reference detachment bug where a JSON copy of the event object is created without the sensitive data filter applied. The fix ensures the filter operates on the data sent to clients. **Recommendations** For versions prior to 9.6.0-alpha.35, remove all `Parse.Cloud.afterLiveQueryEvent` trigger registrations. For versions prior to 8.6.50, remove all `Parse.Cloud.afterLiveQueryEvent` trigger registrations.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 9.6.0-alpha.21 and 8.6.45 **Description** Parse Server is an open source backend deployable on Node.js infrastructures. An unauthenticated attacker can disrupt service by sending a request containing deeply nested query condition operators, causing the Parse Server process to terminate and denying service to connected clients. The issue is addressed by adding a depth limit for query condition operator nesting via the `requestComplexity.queryDepth` server option, which is disabled by default. **Recommendations** Parse Server versions prior to 9.6.0-alpha.21 should be upgraded to version 9.6.0-alpha.21 or later. Parse Server versions prior to 8.6.45 should be upgraded to version 8.6.45 or later. After upgrading, enable the `requestComplexity.queryDepth` server option and set it to a value appropriate for your application.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 9.5.2-alpha.2 Parse Server versions prior to 8.6.15 **Description** Parse Server, an open-source backend deployable on Node.js infrastructures, is susceptible to resource exhaustion. An unauthenticated attacker can exploit the lack of complexity limits in the REST and GraphQL APIs to consume server resources such as CPU, memory, and database connections through crafted queries. All deployments utilizing the REST or GraphQL API are potentially affected. **Recommendations** Update to Parse Server version 9.5.2-alpha.2 or later. Update to Parse Server version 8.6.15 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 **Description** The `ConfigKeyCache` component within Parse Dashboard incorrectly utilizes the same cache key for both master key and read-only master key when resolving function-typed keys. This can lead to a read-only user gaining access to the full master key, or a regular user receiving the cached read-only master key under specific timing conditions. To mitigate this, avoid using function-typed master keys or remove the `agent` configuration block from your dashboard configuration. **Recommendations** Update to version 9.0.0-alpha.8 or later. Avoid using function-typed master keys. Remove the `agent` configuration block from your dashboard configuration.

**Name of the Vulnerable Software and Affected Versions** Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 **Description** The Parse Dashboard AI Agent API endpoint (`POST /apps/:appId/agent`) does not have Cross-Site Request Forgery (CSRF) protection. An attacker can create a malicious webpage that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim’s session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. **Recommendations** Versions 7.3.0-alpha.42 through 9.0.0-alpha.7: Remove the `agent` configuration block from your dashboard configuration.

Name of the Vulnerable Software and Affected Versions: Parse Server versions 5.3.0 through 7.5.3 Parse Server version 8.2.2 Description: Parse Server’s GraphQL API allowed public access to the GraphQL schema without requiring a session token or the master key in versions 5.3.0 through 7.5.3 and 8.2.2. Schema introspection reveals metadata, which can expand the potential attack surface. Recommendations: Update to Parse Server version 7.5.3 or later. Update to Parse Server version 8.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 6.5.5 Parse Server versions prior to 7.0.0-alpha.29 **Description** Parse Server, an open source backend for Node.js, is affected by an issue where calling an invalid Cloud Function name or Cloud Job name can crash the server. This can potentially lead to code injection, internal store manipulation, or remote code execution. Exploitation requires using the `startJob` method with externally controllable parameters. The fix in versions 6.5.5 and 7.0.0-alpha.29 adds string sanitation for Cloud Function and Cloud Job names. **Recommendations** For versions prior to 6.5.5, sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server. For versions prior to 7.0.0-alpha.29, sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 5.4.4 and 6.1.1 **Description** The issue involves a phishing attack vulnerability where a malicious user can upload an HTML file to Parse Server via its public API. This uploaded HTML file can then be accessed at the internet domain where Parse Server is hosted, potentially making it seem legitimate as it is served under the same domain as a company's official website. An additional security concern arises when using the Parse JavaScript SDK, which stores sessions in the browser's local storage. A malicious HTML file could contain a script to retrieve the user's session token from local storage and share it with the attacker. **Recommendations** For versions prior to 5.4.4 and 6.1.1, update to version 5.4.4 or 6.1.1 to include the fix that adds a new Parse Server option `fileUpload.fileExtensions` to restrict file upload by file extension. It is recommended to restrict file upload for HTML file extensions, which this fix disables by default. If an app requires upload of files with HTML file extensions, the option can be set to `['.*']` or another custom value to override the default. As a temporary workaround, consider restricting access to the public API to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** parse-server-push-adapter versions prior to 4.1.3 **Description** The Parse Server Push Adapter can crash Parse Server due to an invalid push notification payload. **Recommendations** For versions prior to 4.1.3, update to version 4.1.3 to resolve the issue. As a temporary workaround, consider implementing input validation to prevent invalid push notification payloads from crashing the server.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 5.4.1 **Description** The issue arises from Parse Server's use of the request header `x-forwarded-for` to determine the client IP address. If Parse Server is not running behind a proxy server, a client can set this header, allowing Parse Server to trust its value. This leads to the use of an incorrect client IP address by various features in Parse Server, which can be exploited to circumvent the security mechanism of the Parse Server option `masterKeyIps`. This is done by setting an allowed IP address as the `x-forwarded-for` header value. **Recommendations** For versions prior to 5.4.1, update to version 5.4.1 or later, where the mechanism to determine the client IP address has been rewritten to require setting the Parse Server option `trustProxy` for correct IP address determination. As a temporary workaround, consider setting the `trustProxy` option accordingly to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 4.10.15 Parse Server versions 5.0.0 through 5.2.5 **Description** A user can write to the session object of another user if the session object ID is known. For example, an attacker can assign the session object to their own user by writing to the `user` field and then read any custom fields of that session object. Note that assigning a session to another user does not usually change the privileges of either of the two users, and a user cannot assign their own session to another user. While it is unlikely that the session object ID of another user is known, it is possible to brute-force guess an object ID. **Recommendations** For Parse Server versions prior to 4.10.15, update to version 4.10.15 or above. For Parse Server versions 5.0.0 through 5.2.5, update to version 5.2.6 or above. As a temporary workaround for unpatched versions, add a `beforeSave` trigger to the ` Session` class and prevent writing if the requesting user is different from the user in the session object.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 4.10.16 Parse Server versions 5.0.0 through 5.2.6 **Description** The issue concerns the validation of the authentication adapter app ID for Facebook and Spotify. In affected configurations, where the `appIds` is set as a string instead of an array of strings, an attacker can authenticate requests from an app with a different app ID than the one specified in the `appIds` configuration. This can happen if the attacker is assigned an app ID by the authentication provider that is a subset of the server-side configured app ID. Both Facebook and Spotify adapters still validate the access token with the respective authentication provider. **Recommendations** For Parse Server versions prior to 4.10.16, update to version 4.10.16 or later. For Parse Server versions 5.0.0 through 5.2.6, update to version 5.2.7 or later. As a temporary workaround, consider setting `appIds` as an array of strings instead of a string to prevent exploitation. Restrict access to the authentication adapter for Facebook and Spotify to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 4.10.14 Parse Server versions prior to 5.2.5 **Description** Internal fields (keys used internally by Parse Server, prefixed by ` `) and protected fields (user defined) can be used as query constraints. These fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server returns a response object. The issue can be exploited by using the `query. where` object to guess internal and protected fields. **Recommendations** For versions prior to 4.10.14, update to version 4.10.14 or later. For versions prior to 5.2.5, update to version 5.2.5 or later. As a temporary workaround, implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints, such as deleting keys that start with ` ` from the `query. where` object.

**Name of the Vulnerable Software and Affected Versions** Parse Server (affected versions not specified) **Description** The issue concerns Parse Server LiveQuery, which in affected versions does not remove protected fields in classes, passing them to the client. This has been addressed by the LiveQueryController, which now removes protected fields from the client response. Users are advised to upgrade to resolve the issue. For those unable to upgrade, using `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields is recommended as a workaround. **Recommendations** To resolve the issue, users should upgrade to a version where the LiveQueryController removes protected fields from the client response. As a temporary workaround, consider using `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 4.10.12 Parse Server versions prior to 5.2.3 **Description** The issue arises from the improper handling of certain types of invalid file requests, which can cause the server to crash. The availability impact may be low if multiple Parse Server instances are running in a cluster, but it may be high if Parse Server is running as a single instance without redundancy. **Recommendations** For versions prior to 4.10.12, upgrade to version 4.10.12 or later. For versions prior to 5.2.3, upgrade to version 5.2.3 or later. As there are no known workarounds for this issue, upgrading to the specified versions is the recommended course of action.