CVE-2024-47183

HIGH Year: 2024
CVSS v3 Score
8.1
High
Weakness Type
CWE-285
View all →

Vulnerability Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. This vulnerability is fixed in 6.5.9 and 7.3.0.

Related Vulnerabilities

CVE-2016-10859

HIGH
CVSS:8.1(High)

cPanel before 11.54.0.0 allows unauthorized password changes via Webmail API commands (SEC-65).

CWE-2852016

CVE-2016-7143

HIGH
CVSS:8.1(High)

The m_authenticate function in modules/m_sasl.c in Charybdis before 3.5.3 allows remote attackers to spoof certificate fingerprints and consequently log in as another user via a crafted AUTHENTICATE p...

CWE-2852016

CVE-2018-1082

HIGH
CVSS:8.1(High)

A flaw was found in Moodle 3.4 to 3.4.1, and 3.3 to 3.3.4. If a user account using OAuth2 authentication method was once confirmed but later suspended, the user could still login to the site.

CWE-2852018

CVE-2018-10861

HIGH
CVSS:8.1(High)

A flaw was found in the way ceph mon handles user requests. Any authenticated ceph user having read access to ceph can delete, create ceph storage pools and corrupt snapshot images. Ceph branches mast...

CWE-2852018

CVE-2018-14637

HIGH
CVSS:8.1(High)

The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.

CWE-2852018

CVE-2018-15465

HIGH
CVSS:8.1(High)

A vulnerability in the authorization subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, but unprivileged (levels 0 and 1), remote attacker to perform privilege...

CWE-2852018