CVE-2022-31112

Parse Server LiveQuery vulnerability (CVE-2022-31112): protected fields in classes were exposed to clients because LiveQueryController failed to strip them. The issue affects Parse Server LiveQuery; the fix is implemented by removing protected fields from client responses in the updated controlle...

CVE-2022-31112 Protected fields exposed via LiveQuery in parse-server

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client respons...

Parse Server 信息泄露漏洞

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server suffers from an information disclosure vulnerability that stems from the fact that the parsing server, LiveQuery, does not remove protected fields from classes and passes them to t...

LiveQuery publishes user session tokens in parse-server

Impact For regular non-LiveQuery queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the Parse.User class, all session tokens created during user sign-ups will be broadcast as part of the LiveQuery...

GHSA-7PR3-P5FM-8R9X LiveQuery publishes user session tokens in parse-server

Impact For regular non-LiveQuery queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the Parse.User class, all session tokens created during user sign-ups will be broadcast as part of the LiveQuery...

CVE-2021-41109

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular non-LiveQuery queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscriptio...

CVE-2021-41109

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular non-LiveQuery queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscriptio...

Session fixation

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular non-LiveQuery queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscriptio...

CVE-2021-41109 LiveQuery publishes user session tokens

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular non-LiveQuery queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscriptio...

CVE-2021-41109

CVE-2021-41109 refers to a vulnerability in Parse Server where, before version 4.10.4, LiveQuery payloads leaked session tokens for users with a LiveQuery subscription on the Parse.User class. The root cause is that LiveQuery payloads included session tokens while regular queries did not. The adv...

Parse Server 信息泄露漏洞

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server suffers from an information disclosure vulnerability that stems from the fact that for regular non-LiveQuery queries, session tokens are removed from the response, but not currentl...

PT-2021-23094 · Unknown · Parse Server

Name of the Vulnerable Software and Affected Versions: Parse Server versions prior to 4.10.4 Description: The issue concerns the exposure of session tokens in LiveQuery payloads for users with a LiveQuery subscription on the Parse.User class. Normally, session tokens are removed from responses fo...