CVE-2020-15270
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not patched.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| parse-community | parse-server | <= 4.3.0 | affected |
Weaknesses
- CWE-672: {"CWE-672":"Operation on a Resource after Expiration or Release"}
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xj2q-qgpj
- https://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9fec025003267f58
- https://npmjs.com/parse-server
References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xj2q-qgpj
- https://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9fec025003267f58
- https://npmjs.com/parse-server
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.