Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Parse Dashboard has incomplete authentication on AI Agent endpoint
Vulnerability Description
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (POST `/apps/:appId/agent`) has multiple security vulnerabilities that, when chained, allow unauthenticated remote attackers to perform arbitrary read and write operations against any connected Parse Server database using the master key. The agent feature is opt-in; dashboards without an agent config are not affected. The fix in version 9.0.0-alpha.8 adds authentication, CSRF validation, and per-app authorization middleware to the agent endpoint. Read-only users are restricted to the `readOnlyMasterKey` with write permissions stripped server-side. A cache key collision between master key and read-only master key was also corrected. As a workaround, remove or comment out the agent configuration block from your Parse Dashboard configuration.
CVSS Information
N/A
Vulnerability Type
关键功能的认证机制缺失
Vulnerability Title
Parse Dashboard 访问控制错误漏洞
Vulnerability Description
Parse Dashboard是Parse Platform开源的一个仪表盘工具。 Parse Dashboard 7.3.0-alpha.42至9.0.0-alpha.7版本存在访问控制错误漏洞,该漏洞源于AI Agent API端点存在多个安全漏洞,可能导致未经验证的远程攻击者对连接的Parse Server数据库执行任意读写操作。
CVSS Information
N/A
Vulnerability Type
N/A