Arbitrary File Upload Affecting parse-server package, versions <5.5.0 >=6.0.0 <6.2.0
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-PARSESERVER-5661794
- published 31 May 2023
- disclosed 31 May 2023
- credit Unknown
Introduced: 31 May 2023
CVE-2023-32689 Open this link in a new tabHow to fix?
Upgrade parse-server to version 5.5.0, 6.2.0 or higher.
Overview
parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Arbitrary File Upload such that a malicious user could upload an HTML file to Parse Server via its public API. That HTML file would then be accessible at the internet domain at which Parse Server is hosted. The URL of the uploaded HTML could be shared for phishing attacks. The HTML page may seem legitimate because it is served under the internet domain where Parse Server is hosted, which may be the same as a company's official website domain.
Note:
An additional security issue arises when the Parse JavaScript SDK is used. The SDK stores sessions in the internet browser's local storage, which usually restricts data access depending on the internet domain. A malicious HTML file could contain a script that retrieves the user's session token from local storage and then share it with the attacker.