Monthly
Parse Server's OAuth2 authentication adapter fails to properly validate app IDs when appidField and appIds are configured, allowing attackers to bypass authentication restrictions or cause login failures depending on the introspection endpoint's response handling. Deployments using this specific OAuth2 configuration are vulnerable to authentication bypass if the endpoint accepts malformed requests. A patch is available in versions 9.6.0-alpha.13 and 8.6.39.
Flask is a web server gateway interface (WSGI) web application framework. Rated low severity (CVSS 1.8), this vulnerability is low attack complexity. No vendor patch available.
Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Parse Server's OAuth2 authentication adapter fails to properly validate app IDs when appidField and appIds are configured, allowing attackers to bypass authentication restrictions or cause login failures depending on the introspection endpoint's response handling. Deployments using this specific OAuth2 configuration are vulnerable to authentication bypass if the endpoint accepts malformed requests. A patch is available in versions 9.6.0-alpha.13 and 8.6.39.
Flask is a web server gateway interface (WSGI) web application framework. Rated low severity (CVSS 1.8), this vulnerability is low attack complexity. No vendor patch available.
Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.