6.1
CVE-2025-68115
- EPSS 0.18%
- Veröffentlicht 16.12.2025 00:56:23
- Zuletzt bearbeitet 02.01.2026 16:49:12
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginParse Server vulnerable to Cross-Site Scripting (XSS) via Unescaped Mustache Template Variables
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. The patch, available in versions 8.6.1 and 9.1.0-alpha.3, escapes user controlled values that are inserted into the HTML pages. No known workarounds are available.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Parseplatform ≫ Parse-server SwPlatformnode.js Version < 8.6.1
Parseplatform ≫ Parse-server Version9.0.0 Update- SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.0.0 Updatealpha1 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.0.0 Updatealpha10 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.0.0 Updatealpha11 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.0.0 Updatealpha2 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.0.0 Updatealpha3 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.0.0 Updatealpha4 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.0.0 Updatealpha5 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.0.0 Updatealpha6 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.0.0 Updatealpha7 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.0.0 Updatealpha8 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.0.0 Updatealpha9 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.1.0 Updatealpha1 SwPlatformnode.js
Parseplatform ≫ Parse-server Version9.1.0 Updatealpha2 SwPlatformnode.js
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.18% | 0.08 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| security-advisories@github.com | 5.3 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://github.com/parse-community/parse-server/security/advisories/GHSA-jhgf-2h8h-ggxv
https://github.com/parse-community/parse-server/pull/9985
https://github.com/parse-community/parse-server/pull/9986