Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Parse Server subject to Incorrect Resource Transfer Between Spheres
Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attacker can assign the session object to their own user by writing to the `user` field and then read any custom fields of that session object. Note that assigning a session to another user does not usually change the privileges of either of the two users, and a user cannot assign their own session to another user. This issue is patched in version 4.10.15 and above, and 5.2.6 and above. To mitigate this issue in unpatched versions add a `beforeSave` trigger to the `_Session` class and prevent writing if the requesting user is different from the user in the session object.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Vulnerability Type
在范围间的资源转移不正确
Vulnerability Title
Parse Server 安全漏洞
Vulnerability Description
Parse Server是一个开源后端,可以部署到任何可以运行 Node.js 的基础设施。 Parse Server 4.10.15之前版本、5.0.0版本至5.2.6之前版本存在安全漏洞。攻击者利用该漏洞可以将会话对象分配给自己的用户,方法是写入“user”字段,然后读取该会话对象的任何自定义字段。
CVSS Information
N/A
Vulnerability Type
N/A