CVE-2024-27298

high-risk
Published 2024-03-01

parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.

Do I need to act?

-
0.31% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 5f9a27fb8eda1b80053a906eca69b9ebe9ffac45, 5452c8f41fd81f5c4981219685d6fde26b992ba0
10
CVSS 10.0/10 Critical
NETWORK / LOW complexity

Affected Products (20)

Affected Vendors

Parseplatform

References (10)

Patch https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e...
Patch https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8...
Release Notes https://github.com/parse-community/parse-server/releases/tag/6.5.0
Release Notes https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20
Vendor Advisory https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3v...
Patch https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e...
Patch https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8...
Release Notes https://github.com/parse-community/parse-server/releases/tag/6.5.0
Release Notes https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20
Vendor Advisory https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3v...
55
/ 100
high-risk
Severity 33/34 · Critical
Exploitability 1/34 · Minimal
Exposure 21/34 · High