In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object.
References
Link | Resource |
---|---|
https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430 | Release Notes Third Party Advisory |
https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa | Patch Third Party Advisory |
https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2020-07-22T23:05:19
Updated: 2020-07-22T23:05:18
Reserved: 2020-06-25T00:00:00
Link: CVE-2020-15126
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-07-22T23:15:11.207
Modified: 2020-07-28T17:30:03.817
Link: CVE-2020-15126
JSON object: View
Redhat Information
No data.
CWE