GHSA-236h-rqv8-8q73
Suggest an improvement- Source
- https://github.com/advisories/GHSA-236h-rqv8-8q73
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-236h-rqv8-8q73/GHSA-236h-rqv8-8q73.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-236h-rqv8-8q73
- Aliases
- Related
- Published
- 2020-07-22T23:06:47Z
- Modified
- 2026-01-30T00:45:23.535081Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- GraphQL: Security breach on Viewer query
- Details
-
Impact
An authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object.
Patches
This vulnerability has been patched in Parse Server 4.3.0.
Workarounds
No
References
See commit 78239ac for details.
- Database specific
{ "cwe_ids": [ "CWE-863" ], "nvd_published_at": null, "github_reviewed": true, "github_reviewed_at": "2020-07-22T23:06:30Z", "severity": "MODERATE" }- References
-
- https://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73
- https://nvd.nist.gov/vuln/detail/CVE-2020-15126
- https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa
- https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430
Affected packages
npm / parse-server
Package
- Name
- parse-server
- View open source insights on deps.dev
- Purl
- pkg:npm/parse-server