3 matches found
CVE-2020-26288
CVE-2020-26288 (Parse Server) affects the parse-server npm package prior to version 4.5.0. In those versions, user passwords involved in LDAP authentication are stored in cleartext, creating a risk of exposure. The issue is resolved in version 4.5.0, which fixes the vulnerability by stripping the...
CVE-2020-5251
CVE-2020-5251 affects parse-server prior to version 4.1.0. An insecure regex in NoSQL queries on the _sessionToken (and related token[$regex]) can disclose information by enumerating user objects, enabling an attacker to identify valid accounts. This is a information-disclosure flaw rather than r...
CVE-2020-15270
Parse Server (parse-server) Vulnerability CVE-2020-15270: the Live Query mechanism allowed broadcasting subscription objects to clients with invalid/expired sessions because the session token validation was not enforced after the WebSocket connection was established. The issue is described in mul...