Description
Original Message: Hi,
I create objects with one client with an ACL of all users with a specific column value. Thats working so far.
Then I deleted the session object from one user to look if he can receive subscription objects and he can receive them. The client with the deleted session cant create new objects, which Parse restricts right.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.4.0
- Patched version(s): 4.4.0
References
Related Issues
- parse-server new anonymous user session acts as if it's created with password - CVE-2021-39138
- Parse Server stores password in plain text - CVE-2020-26288
- LiveQuery publishes user session tokens in parse-server - CVE-2021-41109
- parse-server's session object properties can be updated by foreign user if object ID is known - CVE-2022-39225
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on February 01, 2023