Arbitrary File Upload Affecting parse-server package, versions <5.5.0>=6.0.0 <6.2.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.11% (47th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary File Upload vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-PARSESERVER-5661794
  • published31 May 2023
  • disclosed31 May 2023
  • creditUnknown

Introduced: 31 May 2023

CVE-2023-32689  (opens in a new tab)
CWE-434  (opens in a new tab)

How to fix?

Upgrade parse-server to version 5.5.0, 6.2.0 or higher.

Overview

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Arbitrary File Upload such that a malicious user could upload an HTML file to Parse Server via its public API. That HTML file would then be accessible at the internet domain at which Parse Server is hosted. The URL of the uploaded HTML could be shared for phishing attacks. The HTML page may seem legitimate because it is served under the internet domain where Parse Server is hosted, which may be the same as a company's official website domain.

Note:

An additional security issue arises when the Parse JavaScript SDK is used. The SDK stores sessions in the internet browser's local storage, which usually restricts data access depending on the internet domain. A malicious HTML file could contain a script that retrieves the user's session token from local storage and then share it with the attacker.

CVSS Scores

version 3.1