Parse Server Stored Cross-Site Scripting Vulnerability via File Upload

A stored Cross-Site Scripting (XSS) vulnerability has been identified in Parse Server versions prior to 9.6.0-alpha.4 and 8.6.30. The issue arises from the file upload feature, which allows attackers to upload files with certain extensions or content types that are not blocked by default. Malicious code can be embedded in these files, such as JavaScript in SVG or XHTML formats. Once uploaded, the files can be accessed through their URLs, where the browser will render them and execute the embedded code within the context of the Parse Server domain. This vulnerability could be exploited to steal session tokens, redirect users, or perform actions on behalf of other users.

Impact

Exploitation of this vulnerability allows for stored Cross-Site Scripting, where uploaded files can execute malicious scripts in the context of the user's session on the Parse Server domain.

Remediation

Users can upgrade to Parse Server versions 9.6.0-alpha.4 or 8.6.30, both of which include the necessary fix. Alternatively, the `fileUpload.fileExtensions` server option can be configured to block the affected file types and content types.