{"containers": {"cna": {"affected": [{"product": "parse-server", "vendor": "parse-community", "versions": [{"status": "affected", "version": ">= 3.5.0, < 4.3.0"}]}], "descriptions": [{"lang": "en", "value": "In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-07-22T23:05:18", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430"}], "source": {"advisory": "GHSA-236h-rqv8-8q73", "discovery": "UNKNOWN"}, "title": "Information disclosure through Viewer query in parse-server", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15126", "STATE": "PUBLIC", "TITLE": "Information disclosure through Viewer query in parse-server"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "parse-server", "version": {"version_data": [{"version_value": ">= 3.5.0, < 4.3.0"}]}}]}, "vendor_name": "parse-community"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-863: Incorrect Authorization"}]}]}, "references": {"reference_data": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73", "refsource": "CONFIRM", "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73"}, {"name": "https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa", "refsource": "MISC", "url": "https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa"}, {"name": "https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430", "refsource": "MISC", "url": "https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430"}]}, "source": {"advisory": "GHSA-236h-rqv8-8q73", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:08:22.292Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15126", "datePublished": "2020-07-22T23:05:19", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-08-04T13:08:22.292Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "58698788-8FFD-4933-9B83-9B675261A24F", "versionEndExcluding": "4.3.0", "versionStartIncluding": "3.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object."}, {"lang": "es", "value": "En parser-server desde la versi\u00f3n 3.5.0 y anteriores a 4.3.0, un usuario autenticado que use la consulta GraphQL del visualizador puede pasar toda la seguridad de lectura en su objeto Usuario y tambi\u00e9n puede pasar todos los objetos vinculados por medio de una relaci\u00f3n o Puntero en su objeto de Usuario"}], "id": "CVE-2020-15126", "lastModified": "2024-11-21T05:04:53.707", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-07-22T23:15:11.207", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}