Skip to content

Information disclosure in parse-server

high severity CVE-2020-5251 published Mar 4, 2020 • updated Mar 4, 2020
Repository
@parse-community parse-community/parse-server
Packages Affected versions Patched versions
parse-server (npm) < 4.1.0 4.1.0

In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query.
Using the NoSQL, you can use a regex on sessionToken and find valid accounts this way.

References

@acinader acinader published the maintainer security advisory Mar 3, 2020
You can’t perform that action at this time.