CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15270 – Improper session expiration in Parse Server
https://notcve.org/view.php?id=CVE-2020-15270
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not patched. El servidor de análisis (npm package parse-server) transmite eventos a todos los clientes sin comprobar si el testigo de sesión es válido. • https://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9fec025003267f58 https://github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xj2q-qgpj https://npmjs.com/parse-server • CWE-672: Operation on a Resource after Expiration or Release •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 1CVE-2020-5251 – Information disclosure in parse-server
https://notcve.org/view.php?id=CVE-2020-5251
In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken and find valid accounts this way. En parser-server versiones anteriores a 4.1.0, pueden obtener todos los objetos de los usuarios, mediante el uso de regex en la consulta NoSQL. Usando el NoSQL, pueden usar un regex en sessionToken y encontrar cuentas válidas de esta manera. • https://github.com/ossf-cve-benchmark/CVE-2020-5251 https://github.com/parse-community/parse-server/commit/3a3a5eee5ffa48da1352423312cb767de14de269 https://github.com/parse-community/parse-server/security/advisories/GHSA-h4mf-75hf-67w4 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1020013
https://notcve.org/view.php?id=CVE-2019-1020013
parse-server before 3.6.0 allows account enumeration. Parse-server anterior a versión 3.6.0, permite la enumeración de cuentas. • https://github.com/parse-community/parse-server/security/advisories/GHSA-8w3j-g983-8jh5 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-1020012
https://notcve.org/view.php?id=CVE-2019-1020012
parse-server before 3.4.1 allows DoS after any POST to a volatile class. parse-server anterior a versión 3.4.1, permite una DoS después de cualquier POST en una clase volátil. • https://github.com/ossf-cve-benchmark/CVE-2019-1020012 https://github.com/parse-community/parse-server/security/advisories/GHSA-2479-qvv7-47qq • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •