CVE-2022-39225

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 4.10.15 Parse Server versions 5.0.0 through 5.2.5

Description A user can write to the session object of another user if the session object ID is known. For example, an attacker can assign the session object to their own user by writing to the user field and then read any custom fields of that session object. Note that assigning a session to another user does not usually change the privileges of either of the two users, and a user cannot assign their own session to another user. While it is unlikely that the session object ID of another user is known, it is possible to brute-force guess an object ID.

Recommendations For Parse Server versions prior to 4.10.15, update to version 4.10.15 or above. For Parse Server versions 5.0.0 through 5.2.5, update to version 5.2.6 or above. As a temporary workaround for unpatched versions, add a beforeSave trigger to the Session class and prevent writing if the requesting user is different from the user in the session object.