LiveQuery publishes user session tokens in parse-server

Impact

For regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the Parse.User class, all session tokens created during user sign-ups will be broadcast as part of the LiveQuery payload.

Patches

Remove session token from LiveQuery payload.

Workaround

Set user.acl(new Parse.ACL()) in a beforeSave trigger to make the user private already on sign-up.

References

mtrezza published to parse-community/parse-server Sep 30, 2021

Published by the National Vulnerability Database Sep 30, 2021

Reviewed Sep 30, 2021

Published to the GitHub Advisory Database Sep 30, 2021

Last updated Feb 1, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Patches

Workaround

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code

Credits