CVE-2020-15126
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| parse-community | parse-server | >= 3.5.0, < 4.3.0 | affected |
Weaknesses
- CWE-863: CWE-863: Incorrect Authorization
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73
- https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa
- https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430
References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73
- https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa
- https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.