Description
Original Message: Hi,
I create objects with one client with an ACL of all users with a specific column value. Thats working so far.
Then I deleted the session object from one user to look if he can receive subscription objects and he can receive them. The client with the deleted session cant create new objects, which Parse restricts right.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.4.0
- Patched version(s): 4.4.0
References
Related Issues
- Information disclosure in parse-server - CVE-2020-5251
- Parse Server LiveQuery subscription with invalid regular expression crashes server - CVE-2026-32770
- Parse Server session creation endpoint allows overwriting server-generated session fields - CVE-2026-32742
- parse-server new anonymous user session acts as if it's created with password - CVE-2021-39138
You might also like:
- Tags:
- npm
- parse-server
Anything's wrong? Let us know
Last updated on February 01, 2023