parse-server's session object properties can be updated by foreign user if object ID is known

Severity:: Medium

Description

A foreign user can write to the session object of another user if the session object ID is known. For example, a foreign user can assign the session object to their own user by writing to the user field and then read any custom fields of that session object.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

Affected version(s): **>= 5.0.0, < 5.2.6 < 4.10.15**
Patched version(s): **5.2.6 4.10.15**

References

GHSA-6w4q-23cf-j9jp
CVE-2022-39225
CWE-276
CWE-669
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

parse-server auth adapter app ID validation can be circumvented - CVE-2022-39231
Parse Server vulnerable to brute force guessing of user sensitive data via search patterns - CVE-2022-36079
parse-server new anonymous user session acts as if it's created with password - CVE-2021-39138
LiveQuery publishes user session tokens in parse-server - CVE-2021-41109

Tags:: npm; parse-server

Anything's wrong? Let us know Last updated on January 27, 2023