Vulnerability Description
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not patched.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Parseplatform | Parse-Server | <= 4.3.0 |
Related Weaknesses (CWE)
References
- https://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9PatchThird Party Advisory
- https://github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xjThird Party Advisory
- https://npmjs.com/parse-serverProductThird Party Advisory
- https://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9PatchThird Party Advisory
- https://github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xjThird Party Advisory
- https://npmjs.com/parse-serverProductThird Party Advisory
FAQ
What is CVE-2020-15270?
CVE-2020-15270 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects...
How severe is CVE-2020-15270?
CVE-2020-15270 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-15270?
Check the references section above for vendor advisories and patch information. Affected products include: Parseplatform Parse-Server.