Description

Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not patched.

Remediation

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-2xm2-xj2q-qgpj

https://github.com/parse-community/parse-server/commit/78b59fb26b1c36e3cdbd42ba9fec025003267f58

https://npmjs.com/parse-server

Related Vulnerabilities

CVE-2013-7370 Vulnerability in npm package connect

CVE-2021-34081 Vulnerability in npm package gitsome

CVE-2023-30524 Vulnerability in maven package org.jenkins-ci.plugins:reportportal

CVE-2020-2187 Vulnerability in maven package org.jenkins-ci.plugins:ec2

CVE-2016-1000031 Vulnerability in maven package commons-fileupload:commons-fileupload

Severity

Medium

Classification

CWE-672 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Third Party Advisory Patch Product