Theinfosecguy

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 8.6.13 Parse Server versions prior to 9.5.1-alpha.2 **Description** An unauthenticated attacker can cause a denial of service by crashing the Parse Server process. This occurs by calling a Cloud Function endpoint with a prototype property name as the function name, leading to infinite recursion and a call stack size error. Additionally, prototype property names bypass Cloud Function dispatch validation, resulting in HTTP 200 responses even when no corresponding Cloud Functions are defined. This also applies to dot-notation traversal. The vulnerability affects all Parse Server deployments exposing the Cloud Function endpoint. The issue involves the internal handler registries for Cloud Functions, Jobs, Triggers, and Validators, which previously allowed prototype chain properties to be resolved. **Recommendations** Versions prior to 8.6.13 should be updated to version 8.6.13. Versions prior to 9.5.1-alpha.2 should be updated to version 9.5.1-alpha.2. As a temporary workaround, consider placing a reverse proxy or Web Application Firewall (WAF) in front of Parse Server and blocking requests to `Object.prototype` property names.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 9.5.2-alpha.8 Parse Server versions prior to 8.6.21 **Description** Parse Server, an open-source backend deployable on Node.js infrastructures, contains an issue in its query handling. An attacker, authenticated or unauthenticated, can potentially obtain session tokens belonging to other users by manipulating the `redirectClassNameForKey` query parameter. Successful exploitation requires the attacker's ability to create or update an object with a new relation field, dependent on the Class-Level Permissions of at least one class. Compromised session tokens could allow for account takeover. **Recommendations** Update Parse Server to version 9.5.2-alpha.8 or later. Update Parse Server to version 8.6.21 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 9.5.2-alpha.9 Parse Server versions prior to 8.6.22 **Description** Parse Server, an open-source backend deployable on Node.js infrastructures, contains a flaw in its OAuth2 authentication adapter. When configured without the `useridField` option, the adapter verifies token activity via the provider’s token introspection endpoint but does not confirm the token’s association with the user identified by `authData.id`. This allows an attacker possessing any valid OAuth2 token from the same provider to authenticate as any other user. The issue impacts Parse Server deployments utilizing the generic OAuth2 authentication adapter (configured with `oauth2: true`) without setting the `useridField` option. **Recommendations** Update to Parse Server version 9.5.2-alpha.9 or later. Update to Parse Server version 8.6.22 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 9.5.2-alpha.12 Parse Server versions prior to 8.6.25 **Description** Parse Server, an open-source backend deployable on Node.js infrastructures, contains an issue where the internal ` GraphQLConfig` and ` Audience` classes are accessible, modifiable, and deletable through the `/classes/ GraphQLConfig` and `/classes/ Audience` REST API routes without requiring master key authentication. This circumvents the master key enforcement present in the dedicated `/graphql-config` and `/push audiences` API endpoints. An attacker could potentially read, modify, and delete GraphQL configuration and push audience data. The affected API endpoints are `/classes/ GraphQLConfig` and `/classes/ Audience`. **Recommendations** Update to Parse Server version 9.5.2-alpha.12 or later. Update to Parse Server version 8.6.25 or later.