Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Parse Server: Auth provider validation bypass on login via partial authData
Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid session token. This affects Parse Server deployments where the server option allowExpiredAuthDataToken is set to true. The default value is false. This issue has been patched in versions 8.6.52 and 9.6.0-alpha.41.
CVSS Information
N/A
Vulnerability Type
认证机制不恰当
Vulnerability Title
Parse Server 授权问题漏洞
Vulnerability Description
Parse Server是Parse Platform开源的一个开源后端,可以部署到任何可以运行 Node.js 的基础设施。 Parse Server 8.6.52之前版本和9.6.0-alpha.41之前版本存在授权问题漏洞,该漏洞源于身份验证绕过,可能导致攻击者无需凭据即可登录任何已链接第三方身份验证提供商的用户账户。
CVSS Information
N/A
Vulnerability Type
N/A