CVE-2026-31875
中文标题:
(暂无数据)
英文标题:
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
漏洞描述
中文描述:
(暂无数据)
英文描述:
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33, when multi-factor authentication (MFA) via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP token. However, recovery codes are not consumed after use, allowing the same recovery code to be used an unlimited number of times. This defeats the single-use design of recovery codes and weakens the security of MFA-protected accounts. An attacker who obtains a single recovery code can repeatedly authenticate as the affected user without the code ever being invalidated. This vulnerability is fixed in 9.6.0-alpha.7 and 8.6.33.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| parseplatform | parse-server | * | - | - |
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
|
| parseplatform | parse-server | 9.6.0 | - | - |
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| NVD | nvd_CVE-2026-31875 |
2026-03-12 02:00:07 | 2026-03-11 22:00:03 |
版本与语言
安全公告
变更历史
查看详细变更
- severity: SeverityLevel.UNKNOWN -> SeverityLevel.MEDIUM
- cvss_score: 未提取 -> 5.9
- cvss_vector: 未提取 -> CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- cvss_version: 未提取 -> 3.1
- affected_products_count: 0 -> 2