CVE-2021-41109
Summary
| CVE | CVE-2021-41109 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2021-09-30 15:15:00 UTC |
|---|
| Updated | 2021-10-08 03:23:00 UTC |
|---|
| Description | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the `Parse.User` class, all session tokens created during user sign-ups will be broadcast as part of the LiveQuery payload. A patch in version 4.10.4 removes session tokens from the LiveQuery payload. As a workaround, set `user.acl(new Parse.ACL())` in a beforeSave trigger to make the user private already on sign-up. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| LiveQuery publishes user session tokens · Advisory · parse-community/parse-server · GitHub |
CONFIRM |
github.com |
|
| Release 4.10.4 · parse-community/parse-server · GitHub |
MISC |
github.com |
|
| Merge pull request from GHSA-7pr3-p5fm-8r9x · parse-community/parse-server@4ac4b7f · GitHub |
MISC |
github.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 980624 Nodejs (npm) Security Update for parse-server (GHSA-7pr3-p5fm-8r9x)
