Veracode Vulnerability DatabaseVERACODE:43150Incorrect Control Flow Implementation
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
45.0%
Parse server is vulnerable to Incorrect Control Flow Implementation vulnerability. The vulnerability is caused by not invoking beforeFind trigger when executing the Parse.Query method in certain conditions. This can lead to access control issues when beforeFind is used as a security layer to modify the incoming query.
References
docs.parseplatform.org/parse-server/guide/#security
github.com/parse-community/parse-server/commit/7f5d744ce2eea774a10ab0a8c47bd587941c7775
github.com/parse-community/parse-server/commit/be4c7e23c63a2fb690685665cebed0de26be05c5
github.com/parse-community/parse-server/releases/tag/5.5.5
github.com/parse-community/parse-server/releases/tag/6.2.2
github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9q
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
45.0%