parse-server is vulnerable to authentication bypass. The vulnerability exists in handleSession
function in RestWrite.js
which enables a foreign user to assign the session object of another user to their own by writing to the user
field and impersonate the victim.
github.com/advisories/GHSA-6w4q-23cf-j9jp
github.com/parse-community/parse-server/commit/6d0b2f534603301bb630d9c8e497af3bc7ff1d09
github.com/parse-community/parse-server/commit/7ca9ed01424478d299e5576ee4208bd9fea78760
github.com/parse-community/parse-server/pull/8182
github.com/parse-community/parse-server/pull/8183
github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp