CVE-2020-15270: Improper session expiration in Parse Server
First published: Thu Oct 22 2020(Updated: )
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not patched.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Parseplatform Parse-server | <=4.3.0 |
Remedy
https://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9fec025003267f58
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-15270?
CVE-2020-15270 is a vulnerability in Parse Server that allows clients with expired sessions to still receive subscription objects.
How severe is CVE-2020-15270?
CVE-2020-15270 is classified as medium severity with a CVSS score of 4.3.
Which software is affected by CVE-2020-15270?
Parse Server versions up to 4.3.0 are affected by CVE-2020-15270.
How can I fix CVE-2020-15270?
To fix CVE-2020-15270, update Parse Server to a version above 4.3.0.
Where can I find more information about CVE-2020-15270?
You can find more information about CVE-2020-15270 on the GitHub repository and npmjs.com page for parse-server.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/remedy
- agent/severity
- agent/references
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/tags
- agent/description
- agent/event
- agent/first-publish-date
- vendor/parseplatform
- canonical/parseplatform parse-server
- version/parseplatform parse-server/4.3.0