Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions.
This issue has been patched in versions 8.6.64 and 9.7.0-alpha.8.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Attack Requirements
None
No additional conditions
Privileges Required
High
Admin privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
None
No data leak
Integrity
Low
Partial data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
Vulnerable Products 9
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
|
— |
8.6.64
|
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
|
9.0.0
|
9.7.0
|
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha1:*:*:*:node.js:*:*
|
— | — |
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha2:*:*:*:node.js:*:*
|
— | — |
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha3:*:*:*:node.js:*:*
|
— | — |
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha4:*:*:*:node.js:*:*
|
— | — |
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha5:*:*:*:node.js:*:*
|
— | — |
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha6:*:*:*:node.js:*:*
|
— | — |
|
Parseplatform Parse-Server
cpe:2.3:a:parseplatform:parse-server:9.7.0:alpha7:*:*:*:node.js:*:*
|
— | — |
References 5
https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94…
security-advisories@github.com
https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6f…
security-advisories@github.com
https://github.com/parse-community/parse-server/pull/10326
security-advisories@github.com
https://github.com/parse-community/parse-server/pull/10327
security-advisories@github.com
https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g…
security-advisories@github.com