CVE-2020-15126

Information disclosure through Viewer query in parse-server

CVSS 6.5 MEDIUMEPSS 1.1%CWE-863

In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected products

parse-community · parse-server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430 https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73