CVE-2020-15126

Incorrect Authorization in npm/parse-server

Identifiers

CVE-2020-15126, GHSA-236h-rqv8-8q73

Package Slug

npm/parse-server

Vulnerability

Incorrect Authorization

Description

In parser-server, an authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object.

Affected Versions

All versions starting from 3.5.0 before 4.3.0

Solution

Upgrade to version 4.3.0 or above.

Last Modified

2020-07-30

source