CVE-2020-5251 Information
Feb 14, 2021
cve
Description
In parser-server before version 4.1.0 you can fetch all the users objects by using regex in the NoSQL query. Using the NoSQL you can use a regex on sessionToken and find valid accounts this way.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Reference
https://github.com/parse-community/parse-server/commit/3a3a5eee5ffa48da1352423312cb767de14de269 https://github.com/parse-community/parse-server/security/advisories/GHSA-h4mf-75hf-67w4
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
LOW
Availability Impact
NONE
Base Score
NONE
Base Severity
5.3
Share on: