Lucene search
GitHub_MCVELIST:CVE-2020-15126HistoryJul 22, 2020 - 11:05 p.m.
CVE-2020-15126 Information disclosure through Viewer query in parse-server
2020-07-2223:05:19
CWE-863
GitHub_M
www.cve.org
2
information disclosure
cve-2020-15126
viewer query
CVSS3
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
0.001
Percentile
43.0%
In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object.
CNA Affected
[
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": ">= 3.5.0, < 4.3.0"
}
]
}
]Related
cve
cve
CVE-2020-15126
2020-07-22 23:15:11
osv
osv
GraphQL: Security breach on Viewer query
2020-07-22 23:06:47
CVE-2020-15126
2020-07-22 23:15:11
nvd
nvd
CVE-2020-15126
2020-07-22 23:15:11
veracode
veracode
Authorization Bypass
2020-07-23 02:01:37
github
github
GraphQL: Security breach on Viewer query
2020-07-22 23:06:47
prion
prion
Design/Logic Flaw
2020-07-22 23:15:00
CVSS3
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
0.001
Percentile
43.0%
Related for CVELIST:CVE-2020-15126