Parse Server LiveQuery does not remove protected fields in classes, passing them to the client.
The LiveQueryController now removes protected fields from the client response.
Use Parse.Cloud.afterLiveQueryEvent
to manually remove protected fields.
If you have any questions or comments about this advisory: - For questions or comments about this vulnerability visit our community forum or community chat - Report other vulnerabilities at report.parseplatform.org
{ "github_reviewed_at": "2022-07-06T19:52:23Z", "github_reviewed": true, "nvd_published_at": "2022-06-30T17:15:00Z", "cwe_ids": [ "CWE-200", "CWE-212" ], "severity": "HIGH" }