Vulnerabilities > CVE-2020-15270 - Operation on a Resource after Expiration or Release vulnerability in Parseplatform Parse-Server

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
LOW
Integrity impact
NONE
Availability impact
NONE
network
low complexity
parseplatform
CWE-672

Summary

Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not patched.

Vulnerable Configurations

Part Description Count
Application
Parseplatform
131