Vulnerability Details CVE-2020-15126
In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 63.2%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 4.0
References
- https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430
- https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa
- https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73
- https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430
- https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa
- https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73
Products affected by CVE-2020-15126
-
cpe:2.3:a:parseplatform:parse_server:*