5.3.0-alpha.27

5.3.0-alpha.27 (2022-09-29)

Bug Fixes

• authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify and where the server-side authentication adapter configuration appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]) (GHSA-r657-33vp-gp22) [skip release] (#8187) (8c8ec71)
• session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects (GHSA-6w4q-23cf-j9jp) [skip release] (#8180) (37fed30)

Features

• add option to change the default value of the Parse.Query.limit() constraint (#8152) (0388956)

5.2.7

5.2.7 (2022-09-20)

Bug Fixes

• authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify and where the server-side authentication adapter configuration appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]) (GHSA-r657-33vp-gp22) (#8185) (ecf0814)

5.2.6

5.2.6 (2022-09-20)

Bug Fixes

• session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects (GHSA-6w4q-23cf-j9jp) (#8182) (6d0b2f5)

4.10.16

4.10.16 (2022-09-20)

Bug Fixes

• authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify and where the server-side authentication adapter configuration appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]) (GHSA-r657-33vp-gp22) (#8186) (b3e7939)

4.10.15

4.10.15 (2022-09-20)

Bug Fixes

• session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects (GHSA-6w4q-23cf-j9jp) (#8183) (7ca9ed0)

5.3.0-alpha.26

5.3.0-alpha.26 (2022-09-17)

Bug Fixes

• sorting by non-existing value throws INVALID_SERVER_ERROR on Postgres (#8157) (3b775a1)

5.3.0-alpha.25

5.3.0-alpha.25 (2022-09-17)

Bug Fixes

• updating object includes unchanged keys in client response for certain key types (#8159) (37af1d7)

5.3.0-alpha.24

5.3.0-alpha.24 (2022-09-17)

Bug Fixes

• query aggregation pipeline cannot handle value of type Date when directAccess: true (#8167) (e424137)

5.3.0-alpha.23

5.3.0-alpha.23 (2022-09-17)

Bug Fixes

• liveQuery with containedIn not working when object field is an array (#8128) (1d9605b)

5.3.0-alpha.22

5.3.0-alpha.22 (2022-09-16)

Bug Fixes

• brute force guessing of user sensitive data via search patterns (GHSA-2m6g-crv8-p3c6) (#8146) [skip release] (4c0c7c7)
• push notifications badge doesn't update with Installation beforeSave trigger (#8162) (3c75c2b)