SB2023053080 - Improper access control in parse-server

Description

This security bulletin contains information about 1 vulnerability.

1) Improper access control (CVE-ID: CVE-2023-32689)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in file upload handling when uploading a malicious HTML file through the public API. A remote user can upload a crafted HTML file and trick victims into opening it to disclose sensitive information.

When the Parse JavaScript SDK is used, a malicious script in the uploaded HTML can access the victim's session token from browser local storage. User interaction is required to open the crafted URL.

Remediation

Install update from vendor's website.

References

• https://github.com/parse-community/parse-server/security/advisories/GHSA-9prm-jqwx-45x9
• https://github.com/parse-community/parse-server/pull/8538