8 matches found
BIT-PARSE-2020-15270 Improper session expiration in Parse Server
Parse Server npm package parse-server broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not...
receiving subscription objects with deleted session
Original Message: Hi, I create objects with one client with an ACL of all users with a specific column value. Thats working so far. Then I deleted the session object from one user to look if he can receive subscription objects and he can receive them. The client with the deleted session cant crea...
CVE-2020-15270
Parse Server npm package parse-server broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not...
CVE-2020-15270
Parse Server npm package parse-server broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not...
Design/Logic Flaw
Parse Server npm package parse-server broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not...
CVE-2020-15270
Parse Server (parse-server) Vulnerability CVE-2020-15270: the Live Query mechanism allowed broadcasting subscription objects to clients with invalid/expired sessions because the session token validation was not enforced after the WebSocket connection was established. The issue is described in mul...
CVE-2020-15270 Improper session expiration in Parse Server
Parse Server npm package parse-server broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not...
PT-2020-14328 · Parse · Parse Server
Name of the Vulnerable Software and Affected Versions: Parse Server versions 4.3.0 Description: The issue allows clients with expired sessions to still receive subscription objects because Parse Server broadcasts events to all clients without checking if the session token is valid. It is not...