2 matches found
GHSA-HPM8-9QX6-JVWV Parser Server's streaming file download bypasses afterFind file trigger authorization
Impact File downloads via HTTP Range requests bypass the afterFindParse.File trigger and its validators on storage adapters that support streaming e.g. the default GridFS adapter. This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators...
GHSA-72HP-QFF8-4PVV Parse Server has a protected fields bypass via logical query operators
Impact The validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed entirely. This allows any authenticated user to query on protected fields to extract field values. All Parse Server...