CVE-2024-27298
CRITICALParse Server <6.5.0, <7.0.0-alpha.20 - SQL Injection
Title source: llmDescription
parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2
Patch x_refsource_misc
https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504
Patch x_refsource_misc
https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833
Release Notes x_refsource_misc
https://github.com/parse-community/parse-server/releases/tag/6.5.0
Release Notes x_refsource_misc
https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20
Scores
CVSS v3
10.0
EPSS
0.0031
EPSS Percentile
54.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-89
Status
published
Products (4)
npm/parse-server
0 - 6.5.0npm
parseplatform/parse-server
6.5.0 alpha1 (3 CPE variants)
parseplatform/parse-server
7.0.0 alpha1 (19 CPE variants)
parseplatform/parse-server
< 6.5.0
Published
Mar 01, 2024
Tracked Since
Feb 18, 2026