Manuel Trezza

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 6.5.9 Parse Server versions prior to 7.3.0 **Description** The issue arises when the Parse Server option `allowCustomObjectId: true` is set, allowing an attacker to create a new user with a custom object ID that exploits the vulnerability and acquires privileges of a specific role. **Recommendations** For versions prior to 6.5.9, update to version 6.5.9 or later to resolve the issue. For versions prior to 7.3.0, update to version 7.3.0 or later to resolve the issue. As a temporary workaround, consider disabling custom object IDs by setting `allowCustomObjectId: false`. Alternatively, use a Cloud Code Trigger to validate that a new user's object ID doesn't start with the prefix `role:`.

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 11.0.1 **Description** The issue was addressed with additional user controls. Users may be unable to remove metadata indicating where files were downloaded from. **Recommendations** For versions prior to 11.0.1, update to macOS Big Sur 11.0.1 to resolve the issue.