Description
In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73
Patch, Third Party Advisory x_refsource_misc
https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430
Scores
CVSS v3
6.5
EPSS
0.0107
EPSS Percentile
60.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-863
Status
published
Products (2)
npm/parse-server
3.5.0 - 4.3.0npm
parseplatform/parse_server
3.5.0 - 4.3.0
Published
Jul 22, 2020
Tracked Since
Feb 18, 2026