Skip to main content

Parse Server CVE-2020-5251

MEDIUM
Improper Authorization (CWE-285)
2020-03-04 security-advisories@github.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Mar 04, 2020 - 15:15 nvd
MEDIUM 5.3

DescriptionNVD

In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken and find valid accounts this way.

AnalysisAI

In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-285. In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken and find valid accounts this way. Affected products include: Parseplatform Parse-Server. Version information: version 4.1.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2026-32248 CRITICAL POC
9.8 Mar 12

Unauthenticated query injection in Parse Server before 9.6.0-alpha.12/8.6.38. PoC available.

CVE-2026-32242 HIGH POC
7.4 Mar 12

### Impact Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all

CVE-2026-30966 CRITICAL
10.0 Mar 10

Parse Server has a CVSS 10.0 access control vulnerability enabling complete bypass of all data access restrictions.

CVE-2024-27298 CRITICAL
10.0 Mar 01

parse-server is a Parse Server for Node.js / Express. Rated critical severity (CVSS 10.0), this vulnerability is remotel

CVE-2026-30863 CRITICAL
9.8 Mar 07

Authentication bypass in Parse Server allows unauthenticated access to protected API endpoints. Parse Server is a popula

CVE-2026-31840 CRITICAL
9.8 Mar 11

SQL injection in Parse Server before 9.6.0-alpha.2/8.6.28.

CVE-2026-31871 CRITICAL
9.8 Mar 11

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31. Third Parse Server SQLi.

CVE-2026-31856 CRITICAL
9.8 Mar 11

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31.

CVE-2023-36475 CRITICAL
9.8 Jun 28

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical s

CVE-2022-41878 CRITICAL
9.8 Nov 10

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical s

CVE-2022-41879 CRITICAL
9.8 Nov 10

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical s

Share

CVE-2020-5251 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy