7Azimo01

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 9.6.0-alpha.17 Parse Server versions prior to 8.6.42 **Description** An authenticated user can overwrite server-generated session fields (`sessionToken`, `expiresAt`, `createdWith`) when creating a session object via the `POST /classes/ Session` API endpoint. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date and allows setting a predictable session token value. The `sessionToken`, `expiresAt`, and `createdWith` are vulnerable parameters. **Recommendations** Versions prior to 9.6.0-alpha.17: Upgrade to version 9.6.0-alpha.17 or later. Versions prior to 8.6.42: Upgrade to version 8.6.42 or later. As a workaround for all affected versions, add a `beforeSave` trigger on the ` Session` class to validate and reject or strip any user-supplied values for `sessionToken`, `expiresAt`, and `createdWith`.