Information disclosure in parse-server
high severity CVE-2020-5251 published
Mar 4, 2020
updated Mar 4, 2020
In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query.
Using the NoSQL, you can use a regex on sessionToken and find valid accounts this way.