Description
Original Message: Hi,
I create objects with one client with an ACL of all users with a specific column value. Thats working so far.
Then I deleted the session object from one user to look if he can receive subscription objects and he can receive them. The client with the deleted session cant create new objects, which Parse restricts right.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.4.0
- Patched version(s): 4.4.0
References
Related Issues
- parse-server's session object properties can be updated by foreign user if object ID is known - CVE-2022-39225
- parse-server new anonymous user session acts as if it's created with password - CVE-2021-39138
- LiveQuery publishes user session tokens in parse-server - CVE-2021-41109
- parse-server crashes when receiving file download request with invalid byte range - CVE-2022-39313
You might also like:
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on February 01, 2023