CVE-2023-32689: 
JavaScript vulnerability analysis and mitigation

Parse Server versions prior to 5.4.4 and 6.1.1 were discovered to contain a phishing attack vulnerability (CVE-2023-32689). The vulnerability allows malicious users to upload HTML files through Parse Server's public API, which could then be accessed at the server's hosted domain. This vulnerability was particularly concerning as the malicious HTML files would appear legitimate since they would be served under the organization's official domain (GitHub Advisory).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) with a CVSS v3.1 base score of 6.5 (Medium) according to NVD, and 6.3 (Medium) according to GitHub. The attack vector is Network-based (AV:N) with high attack complexity (AC:H), requiring low privileges (PR:L) and no user interaction (UI:N). The scope is changed (S:C) with high confidentiality impact (C:H) but no impact on integrity (I:N) or availability (A:N) (NVD).

The vulnerability has two primary impact vectors. First, attackers could conduct phishing attacks by sharing URLs to malicious HTML files hosted on the legitimate domain. Second, when used in conjunction with the Parse JavaScript SDK, the vulnerability could allow attackers to steal user session tokens from the browser's local storage, as the malicious HTML file would have access to the same domain's local storage (GitHub Advisory).

The vulnerability has been patched in versions 5.4.4 and 6.1.1 with the introduction of a new Parse Server option 'fileUpload.fileExtensions'. This option restricts file uploads by extension, with HTML file extensions disabled by default. Organizations that require HTML file upload capabilities can override this restriction by setting the option to ['.*'] or a custom value (GitHub Advisory).