CVE-2020-15126 – parse-server

Package

Manager: npm
Name: parse-server
Vulnerable Version: >=3.5.0 <4.3.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00461 pctl0.63237

Details

GraphQL: Security breach on Viewer query ### Impact An authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object. ### Patches This vulnerability has been patched in Parse Server 4.3.0. ### Workarounds No ### References See [commit 78239ac](https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa) for details.

Metadata

Created: 2020-07-22T23:06:47Z
Modified: 2023-10-26T11:33:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-236h-rqv8-8q73/GHSA-236h-rqv8-8q73.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-236h-rqv8-8q73
Finding: F006
Auto approve: 1