Description
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not patched.
Remediation
References
https://github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xj2q-qgpj
https://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9fec025003267f58
https://npmjs.com/parse-server
Related Vulnerabilities
CVE-2018-1304 Vulnerability in maven package org.apache.tomcat:tomcat-catalina
CVE-2019-15603 Vulnerability in npm package seeftl
CVE-2017-12633 Vulnerability in maven package org.apache.camel:camel-hessian
CVE-2023-3691 Vulnerability in maven package org.webjars.npm:github-com-layui-layui
CVE-2019-12419 Vulnerability in maven package org.apache.cxf:cxf-rt-rs-security-sso-oidc