Protected fields exposed via LiveQuery

High

mtrezza published GHSA-crrq-vr9j-fxxh

Jun 30, 2022

Package

parse-server (npm)

Affected versions

(<4.10.13) || (>=5.0.0 <5.2.4)

Patched versions

(>=4.10.13 <5.0.0) || (>=5.2.4)

Description

Impact

Parse Server LiveQuery does not remove protected fields in classes, passing them to the client.

Patches

The LiveQueryController now removes protected fields from the client response.

Workarounds

Use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields.

References

For more information

If you have any questions or comments about this advisory:

For questions or comments about this vulnerability visit our community forum or community chat
Report other vulnerabilities at report.parseplatform.org

Severity

High

8.2

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N