You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Versions of parse-server prior to 3.6.0 could allow an account enumeration attack via account linking. ParseError.ACCOUNT_ALREADY_LINKED(208) was thrown BEFORE the AuthController checks the password and throws a ParseError.SESSION_MISSING(206) for Insufficient auth. An attacker can guess ids and get information about linked accounts/email addresses.
Versions of parse-server prior to 3.6.0 could allow an account enumeration attack via account linking.
ParseError.ACCOUNT_ALREADY_LINKED(208)
was thrown BEFORE the AuthController checks the password and throws aParseError.SESSION_MISSING(206)
for Insufficient auth. An attacker can guess ids and get information about linked accounts/email addresses.For more information
If you have any questions or comments about this advisory,
Open an issue in the parse-server
Parse Community Vulnerability Disclosure Program
References