3 matches found
CVE-2021-39138
Parse Server prior to v4.5.1 incorrectly classifies anonymous sessions as password-created when first signing up via REST, due to the createdWith value in _Session. This affects only developers who rely on createdWith for access control; the vulnerability is fixed in 4.5.1. The recommended workar...
CVE-2021-39187
CVE-2021-39187 affects Parse Server prior to 4.10.3. The vulnerability arises from the MongoDB Node.js driver: when a query request contains an invalid value for the explain option, the driver throws an exception that Parse Server cannot catch, causing a crash. A patch exists in Parse Server 4.10...
CVE-2021-41109
CVE-2021-41109 refers to a vulnerability in Parse Server where, before version 4.10.4, LiveQuery payloads leaked session tokens for users with a LiveQuery subscription on the Parse.User class. The root cause is that LiveQuery payloads included session tokens while regular queries did not. The adv...