Description
Validation of the authentication adapter app ID for Facebook and Spotify may be circumvented.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0, < 5.2.7 < 4.10.16** Patched version(s): **5.2.7 4.10.16**
References
Related Issues
- parse-server's session object properties can be updated by foreign user if object ID is known - CVE-2022-39225
- Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers - CVE-2022-41878
- Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks - CVE-2022-41879
- Authentication bypass vulnerability in Apple Game Center auth adapter - CVE-2022-31083
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on January 27, 2023