SCA: security update for parse-server (GHSA-9prm-jqwx-45x9)

medium Tenable Cloud Security Plugin ID 413406

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.
Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user
uploading malicious files. A malicious user could upload an HTML file to Parse Server via its public API.
That HTML file would then be accessible at the internet domain at which Parse Server is hosted. The URL of
the the uploaded HTML could be shared for phishing attacks. The HTML page may seem legitimate because it
is served under the internet domain where Parse Server is hosted, which may be the same as a company's
official website domain. An additional security issue arises when the Parse JavaScript SDK is used. The
SDK stores sessions in the internet browser's local storage, which usually restricts data access depending
on the internet domain. A malicious HTML file could contain a script that retrieves the user's session
token from local storage and then share it with the attacker. The fix included in versions 5.4.4 and 6.1.1
adds a new Parse Server option `fileUpload.fileExtensions` to restrict file upload on Parse Server by file
extension. It is recommended to restrict file upload for HTML file extensions, which this fix disables by
default. If an app requires upload of files with HTML file extensions, the option can be set to `['.*']`
or another custom value to override the default. (CVE-2023-32689)

See Also

https://github.com/advisories/GHSA-9prm-jqwx-45x9

Plugin Details

Severity: Medium

ID: 413406

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2023-32689

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/31/2023

Vulnerability Publication Date: 5/30/2023

Reference Information

CVE: CVE-2023-32689

cwe: CWE-434