CVE-2020-15270

MEDIUM

Parse Server - Info Disclosure

Title source: llm

Description

Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not patched.

References (3)

[Patch, Third Party Advisory] https://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9fec025003267f58

View Patch ZIP pw:eip

[Third Party Advisory] https://github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xj2q-qgpj

[Product, Third Party Advisory] https://npmjs.com/parse-server

Scores

CVSS v3 4.3

EPSS 0.0025

EPSS Percentile 48.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-672

Status published

Affected Products (2)

parseplatform/parse-server < 4.3.0

npm/parse-server < 4.4.0npm

Timeline

Published Oct 22, 2020

Tracked Since Feb 18, 2026