Description
For regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the Parse.User class, all session tokens created during user sign-ups will be broadcast as part of the LiveQuery payload.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.10.4
- Patched version(s): 4.10.4
References
Related Issues
- parse-server new anonymous user session acts as if it's created with password - CVE-2021-39138
- parse-server's session object properties can be updated by foreign user if object ID is known - CVE-2022-39225
- Parse Server crashes with query parameter - CVE-2021-39187
- Parse Server vulnerable to brute force guessing of user sensitive data via search patterns - CVE-2022-36079
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on February 01, 2023