#VU77794 Prototype pollution in Parse Server
Vulnerability identifier: #VU77794
Vulnerability risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-1321
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Parse Server
Web applications /
Modules and components for CMS
Vendor: Parse Community
Description
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation within the MongoDB BSON parser. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation or lead to code execution.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Parse Server: 6.0.0 - 6.2.0, 5.0.0 - 5.5.1
External links
http://github.com/parse-community/parse-server/issues/8675
http://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6
http://github.com/parse-community/parse-server/releases/tag/6.2.1
http://github.com/parse-community/parse-server/releases/tag/5.5.2
http://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f
http://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90
http://github.com/parse-community/parse-server/issues/8674
http://github.com/advisories/GHSA-prm5-8g2m-24gg
http://www.zerodayinitiative.com/advisories/ZDI-23-1160/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
