← back
CVE-2020-15270

Improper session expiration in Parse Server

CVSS 4.3 MEDIUMEPSS 1.2%CWE-672
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 4.3EPSS 1.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
22 Oct 2020Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not patched.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Affected products
parse-community · parse-server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9fec025003267f58https://github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xj2q-qgpjhttps://npmjs.com/parse-server