Home > Vulnerability Database > CVE-2020-15270

Mend.io Vulnerability Database

CVE-2020-15270

Good to know:

Date: October 30, 2020

Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not patched.

Language: JS

Severity Score

4.3

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-15270

Url: https://github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xj2q-qgpj

Url: https://npmjs.com/parse-server

Url: https://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9fec025003267f58

Url: https://www.mend.io/vulnerability-database/CVE-2020-15270

Severity Score

4.3

Weakness Type (CWE)

Operation on a Resource after Expiration or Release

CWE-672

CVSS v3.1

Base Score:	4.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	4.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	SINGLE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-15270

Good to know:

Date: October 30, 2020

Language: JS

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?