CVE-2020-15126, GHSA-236h-rqv8-8q73
npm/parse-server
Incorrect Authorization
In parser-server, an authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object.
All versions starting from 3.5.0 before 4.3.0
Upgrade to version 4.3.0 or above.
2020-07-30
source |