Description

Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not patched.

Remediation

References

https://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9fec025003267f58

https://github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xj2q-qgpj

https://npmjs.com/parse-server

Related Vulnerabilities

CVE-2021-42697 Vulnerability in maven package com.typesafe.akka:akka-http-core_2.13

CVE-2022-45146 Vulnerability in maven package org.bouncycastle:bc-fips-debug

CVE-2023-32732 Vulnerability in maven package io.grpc:grpc-protobuf

CVE-2018-1313 Vulnerability in maven package org.apache.derby:derby

CVE-2020-7708 Vulnerability in npm package @irrelon/path

Severity

Medium

Classification

CWE-672 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Patch Third Party Advisory Product