Parse Dashboard Missing CSRF Protection in AI Agent API Endpoint Vulnerability

A vulnerability exists in Parse Dashboard versions 7.3.0-alpha.42 prior to 9.0.0-alpha.7, where the AI Agent API endpoint lacks Cross-Site Request Forgery (CSRF) protection. This flaw allows an attacker to create a malicious page that, when accessed by an authenticated user, can send requests to the agent endpoint using the user's session. The vulnerability has been addressed in version 9.0.0-alpha.8, which introduces CSRF middleware to the agent endpoint and adds a CSRF token to the dashboard page. As a temporary measure, users can remove the 'agent' configuration block from their dashboard settings, as those dashboards will not be affected.

Impact

Exploitation of this vulnerability could lead to unauthorized actions being performed on behalf of the user, potentially allowing for manipulation of data or application behavior through the AI Agent API endpoint.

Remediation

Users can update to Parse Dashboard version 9.0.0-alpha.8 or later, where this vulnerability has been patched. Alternatively, dashboards can be configured without the 'agent' block to avoid exposure to this vulnerability.