CVE-2020-15270

Опубликовано: 22 окт. 2020

Источник: nvd

CVSS3: 4.3

CVSS2: 4

EPSS Низкий

Описание

Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not patched.

Ссылки

https://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9fec025003267f58
Patch
Third Party Advisory
https://github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xj2q-qgpj
Third Party Advisory
https://npmjs.com/parse-server
Product
Third Party Advisory
https://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9fec025003267f58
Patch
Third Party Advisory
https://github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xj2q-qgpj
Third Party Advisory
https://npmjs.com/parse-server
Product
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*

Версия до 4.3.0 (включая)

EPSS

Процентиль: 48%

0.00253

Низкий

4.3 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-672

Связанные уязвимости

GHSA-2xm2-xj2q-qgpj