parse-dashboard 9.0.0-alpha.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the parse-dashboard package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Missing Authorization parse-dashboard is a The Parse Dashboard for Parse Server Affected versions of this package are vulnerable to Missing Authorization via the `agent` endpoint. An attacker can gain unauthorized access to other applications' agent endpoints and escalate privileges by modifying the app ID in the URL and supplying write permissions in the request body. This allows authenticated users scoped to specific apps, including read-only users, to perform write and delete operations across apps. This is only exploitable if the `agent` configuration is enabled in the dashboard. How to fix Missing Authorization? Upgrade `parse-dashboard` to version 9.0.0-alpha.8 or higher.	>=7.3.0-alpha.42 <9.0.0-alpha.8
H Missing Authentication for Critical Function parse-dashboard is a The Parse Dashboard for Parse Server Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the `agent` endpoint. An attacker can perform arbitrary database operations against any connected server instance by sending unauthenticated requests. This is only exploitable if the `agent` configuration block is present in the dashboard configuration. How to fix Missing Authentication for Critical Function? Upgrade `parse-dashboard` to version 9.0.0-alpha.8 or higher.	>=7.3.0-alpha.42 <9.0.0-alpha.8
H Cross-site Request Forgery (CSRF) parse-dashboard is a The Parse Dashboard for Parse Server Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via the `agent` endpoint. An attacker can perform unauthorized actions on behalf of an authenticated user by tricking them into visiting a malicious page that submits requests using the victim's session. This is only exploitable if the dashboard is configured with an `agent` block. How to fix Cross-site Request Forgery (CSRF)? Upgrade `parse-dashboard` to version 9.0.0-alpha.8 or higher.	>=7.3.0-alpha.42 <9.0.0-alpha.8
H Improper Validation of Unsafe Equivalence in Input parse-dashboard is a The Parse Dashboard for Parse Server Affected versions of this package are vulnerable to Improper Validation of Unsafe Equivalence in Input in the `ConfigKeyCache` process. An attacker can obtain unauthorized access to sensitive master key information by exploiting cache key collisions under specific timing conditions. This is only exploitable if function-typed master keys are used or if the `agent` configuration block is present in the dashboard configuration. How to fix Improper Validation of Unsafe Equivalence in Input? Upgrade `parse-dashboard` to version 9.0.0-alpha.8 or higher.	>=7.3.0-alpha.42 <9.0.0-alpha.8

Vulnerability

Vulnerable Version

Missing Authorization

parse-dashboard is a The Parse Dashboard for Parse Server

Affected versions of this package are vulnerable to Missing Authorization via the agent endpoint. An attacker can gain unauthorized access to other applications' agent endpoints and escalate privileges by modifying the app ID in the URL and supplying write permissions in the request body. This allows authenticated users scoped to specific apps, including read-only users, to perform write and delete operations across apps. This is only exploitable if the agent configuration is enabled in the dashboard.

How to fix Missing Authorization?

Upgrade parse-dashboard to version 9.0.0-alpha.8 or higher.

>=7.3.0-alpha.42 <9.0.0-alpha.8

Missing Authentication for Critical Function

parse-dashboard is a The Parse Dashboard for Parse Server

Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the agent endpoint. An attacker can perform arbitrary database operations against any connected server instance by sending unauthenticated requests. This is only exploitable if the agent configuration block is present in the dashboard configuration.

How to fix Missing Authentication for Critical Function?

Upgrade parse-dashboard to version 9.0.0-alpha.8 or higher.

>=7.3.0-alpha.42 <9.0.0-alpha.8

Cross-site Request Forgery (CSRF)

parse-dashboard is a The Parse Dashboard for Parse Server

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via the agent endpoint. An attacker can perform unauthorized actions on behalf of an authenticated user by tricking them into visiting a malicious page that submits requests using the victim's session. This is only exploitable if the dashboard is configured with an agent block.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade parse-dashboard to version 9.0.0-alpha.8 or higher.

>=7.3.0-alpha.42 <9.0.0-alpha.8

Improper Validation of Unsafe Equivalence in Input

parse-dashboard is a The Parse Dashboard for Parse Server

Affected versions of this package are vulnerable to Improper Validation of Unsafe Equivalence in Input in the ConfigKeyCache process. An attacker can obtain unauthorized access to sensitive master key information by exploiting cache key collisions under specific timing conditions. This is only exploitable if function-typed master keys are used or if the agent configuration block is present in the dashboard configuration.

How to fix Improper Validation of Unsafe Equivalence in Input?

Upgrade parse-dashboard to version 9.0.0-alpha.8 or higher.

>=7.3.0-alpha.42 <9.0.0-alpha.8

parse-dashboard@9.0.0-alpha.1 vulnerabilities

The Parse Dashboard for Parse Server

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically