CVE-2019-1020013

Name of the Vulnerable Software and Affected Versions: parse-server versions prior to 3.6.0

Description: The issue allows for account enumeration. An attacker can guess ids and obtain information about linked accounts or email addresses. This occurs because ParseError.ACCOUNT ALREADY LINKED(208) is thrown before the AuthController checks the password, allowing an attacker to deduce the existence of certain accounts.

Recommendations: For versions prior to 3.6.0, update to version 3.6.0 or later to resolve the issue. As a temporary workaround, consider restricting access to account linking functionality until the update is applied.