CVE-2022-41878

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 4.10.19 Parse Server versions prior to 5.3.2

Description The issue allows keywords specified in the requestKeywordDenylist option to be injected via Cloud Code Webhooks or Triggers, resulting in the keyword being saved to the database and bypassing the requestKeywordDenylist option. This can be exploited by making requests to the Cloud Code Webhooks API. To mitigate this, configuring the firewall to only allow trusted servers to make requests to the Parse Server Cloud Code Webhooks API or blocking the API completely if not in use can help.

Recommendations For versions prior to 4.10.19, update to version 4.10.19 or later. For versions prior to 5.3.2, update to version 5.3.2 or later. As a temporary workaround, consider configuring your firewall to only allow trusted servers to make requests to the Parse Server Cloud Code Webhooks API, or block the API completely if you are not using the feature.