CVE-2020-15270
Summary
| CVE | CVE-2020-15270 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2020-10-22 22:15:00 UTC |
|---|
| Updated | 2020-10-30 15:02:00 UTC |
|---|
| Description | Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not patched. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| parse-server - npm |
MISC |
npmjs.com |
Product, Third Party Advisory |
| Merge pull request from GHSA-2xm2-xj2q-qgpj · parse-community/parse-server@78b59fb · GitHub |
MISC |
github.com |
Patch, Third Party Advisory |
| Receiving subscription objects with deleted session · Advisory · parse-community/parse-server · GitHub |
CONFIRM |
github.com |
Third Party Advisory |
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 980502 Nodejs (npm) Security Update for parse-server (GHSA-2xm2-xj2q-qgpj)
