CVE-2020-15270
MEDIUMparse-server < 4.3.0 and >= 0 < 4.4.0 - Unauthenticated Event Broadcast to Expired Sessions
Title source: llmDescription
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not patched.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xj2q-qgpj
Patch, Third Party Advisory x_refsource_misc
https://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9fec025003267f58
Product, Third Party Advisory x_refsource_misc
https://npmjs.com/parse-server
Scores
CVSS v3
4.3
EPSS
0.0115
EPSS Percentile
62.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-672
Status
published
Products (2)
npm/parse-server
0 - 4.4.0npm
parseplatform/parse-server
< 4.3.0
Published
Oct 22, 2020
Tracked Since
Feb 18, 2026