Dblythy

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 5.4.1 **Description** The issue arises from Parse Server's use of the request header `x-forwarded-for` to determine the client IP address. If Parse Server is not running behind a proxy server, a client can set this header, allowing Parse Server to trust its value. This leads to the use of an incorrect client IP address by various features in Parse Server, which can be exploited to circumvent the security mechanism of the Parse Server option `masterKeyIps`. This is done by setting an allowed IP address as the `x-forwarded-for` header value. **Recommendations** For versions prior to 5.4.1, update to version 5.4.1 or later, where the mechanism to determine the client IP address has been rewritten to require setting the Parse Server option `trustProxy` for correct IP address determination. As a temporary workaround, consider setting the `trustProxy` option accordingly to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 4.10.4 **Description** The issue concerns the exposure of session tokens in LiveQuery payloads for users with a LiveQuery subscription on the `Parse.User` class. Normally, session tokens are removed from responses for regular queries, but this was not the case for LiveQuery payloads prior to the fix. This means all session tokens created during user sign-ups would be broadcast as part of the LiveQuery payload, potentially compromising user privacy. A patch in version 4.10.4 addresses this by removing session tokens from the LiveQuery payload. **Recommendations** For versions prior to 4.10.4, update to version 4.10.4 or later to remove session tokens from LiveQuery payloads. As a temporary workaround for versions prior to 4.10.4, set `user.acl(new Parse.ACL())` in a beforeSave trigger to make the user private already on sign-up.