Vulnerabilities > CVE-2020-15270 - Operation on a Resource after Expiration or Release vulnerability in Parseplatform Parse-Server
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
LOW Integrity impact
NONE Availability impact
NONE Summary
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not patched.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9fec025003267f58
- https://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9fec025003267f58
- https://github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xj2q-qgpj
- https://github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xj2q-qgpj
- https://npmjs.com/parse-server
- https://npmjs.com/parse-server