Parse Dashboard
Monthly
Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 improperly cache master keys and read-only master keys using identical cache identifiers, allowing authenticated users to obtain privilege escalation by retrieving cached credentials not intended for their access level under race conditions. An attacker with read-only dashboard access could retrieve the full master key, while regular users could access the read-only master key, compromising Parse Server security boundaries. The vulnerability requires low privileges and specific timing conditions but is fixed in version 9.0.0-alpha.8.
Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 fail to implement CSRF protection on the AI Agent API endpoint, allowing attackers to perform unauthorized actions through the endpoint by tricking authenticated dashboard users into visiting malicious web pages. An attacker can exploit this to manipulate Parse Server applications managed through the vulnerable dashboard without explicit user consent. No patch is currently available; users can mitigate by disabling the agent configuration in their dashboard settings.
Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 fail to properly authorize access to the AI Agent API endpoint, allowing authenticated users to access other apps' agent functionalities and read-only users to escalate privileges by obtaining the master key with write permissions. Attackers can exploit this to read, modify, or delete data across any app on affected Parse Server instances where agent configuration is enabled. No patch is currently available; administrators should disable the agent configuration block as a temporary mitigation.
Unauthenticated attackers can execute arbitrary read/write operations against Parse Server databases in Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 by exploiting multiple chained vulnerabilities in the opt-in AI Agent API endpoint, gaining master key access without authentication or authorization checks. This affects only dashboards with an agent configuration enabled, allowing complete database compromise. The vulnerability has no available patch at this time, though version 9.0.0-alpha.8 implements fixes including authentication, CSRF validation, and proper authorization controls.
Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 improperly cache master keys and read-only master keys using identical cache identifiers, allowing authenticated users to obtain privilege escalation by retrieving cached credentials not intended for their access level under race conditions. An attacker with read-only dashboard access could retrieve the full master key, while regular users could access the read-only master key, compromising Parse Server security boundaries. The vulnerability requires low privileges and specific timing conditions but is fixed in version 9.0.0-alpha.8.
Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 fail to implement CSRF protection on the AI Agent API endpoint, allowing attackers to perform unauthorized actions through the endpoint by tricking authenticated dashboard users into visiting malicious web pages. An attacker can exploit this to manipulate Parse Server applications managed through the vulnerable dashboard without explicit user consent. No patch is currently available; users can mitigate by disabling the agent configuration in their dashboard settings.
Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 fail to properly authorize access to the AI Agent API endpoint, allowing authenticated users to access other apps' agent functionalities and read-only users to escalate privileges by obtaining the master key with write permissions. Attackers can exploit this to read, modify, or delete data across any app on affected Parse Server instances where agent configuration is enabled. No patch is currently available; administrators should disable the agent configuration block as a temporary mitigation.
Unauthenticated attackers can execute arbitrary read/write operations against Parse Server databases in Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 by exploiting multiple chained vulnerabilities in the opt-in AI Agent API endpoint, gaining master key access without authentication or authorization checks. This affects only dashboards with an agent configuration enabled, allowing complete database compromise. The vulnerability has no available patch at this time, though version 9.0.0-alpha.8 implements fixes including authentication, CSRF validation, and proper authorization controls.