CVE-2020-15126
published 2020-07-22CVE-2020-15126: In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and…
PriorityP433medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
1.07%
60.7th percentile
In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| parse-community | parse-server | — | — |
| parse-community | parse-server | >= 3.5.0 < 4.3.0 | 4.3.0 |
| parseplatform | parse_server | >= 3.5.0 < 4.3.0 | 4.3.0 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vendor_cisco4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
GraphQL: Security breach on Viewer query
osv·2020-07-22
CVE-2020-15126 [MEDIUM] GraphQL: Security breach on Viewer query
GraphQL: Security breach on Viewer query
### Impact
An authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object.
### Patches
This vulnerability has been patched in Parse Server 4.3.0.
### Workarounds
No
### References
See [commit 78239ac](https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa) for details.
GHSA
GraphQL: Security breach on Viewer query
ghsa·2020-07-22
CVE-2020-15126 [MEDIUM] CWE-863 GraphQL: Security breach on Viewer query
GraphQL: Security breach on Viewer query
### Impact
An authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object.
### Patches
This vulnerability has been patched in Parse Server 4.3.0.
### Workarounds
No
### References
See [commit 78239ac](https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa) for details.
Cisco
Wi-Fi Protected Network and Wi-Fi Protected Network 2 Information Disclosure Vulnerability
vendor_cisco·2020-02-27·CVSS 4.3
CVE-2019-15126 [MEDIUM] CWE-326 Wi-Fi Protected Network and Wi-Fi Protected Network 2 Information Disclosure Vulnerability
Wi-Fi Protected Network and Wi-Fi Protected Network 2 Information Disclosure Vulnerability
On February 26th, 2020, researchers Štefan Svorencík and Robert Lipovsky disclosed a vulnerability in the implementation of the wireless egress packet processing of certain Broadcom Wi-Fi chipsets. This vulnerability could allow an unauthenticated, adjacent attacker to decrypt Wi-Fi frames without the knowledge of the Wireless Protected Access (WPA) or Wireless Protected Access 2 (WPA2) Pairwise Temporal Key (PTK) used to secure the Wi-Fi network.
The vulnerability exists because after an affected device handles a disassociation event it could send a limited number of Wi-Fi frames encrypted with a static, weak PTK. An attacker could exploit this vulnerability by acquiring these frames and decryptin
Cisco
Wi-Fi Protected Network and Wi-Fi Protected Network 2 Information Disclosure Vulnerability
vendor_cisco·CVSS 3.0
CVE-2019-15126 Wi-Fi Protected Network and Wi-Fi Protected Network 2 Information Disclosure Vulnerability
CVE-2019-15126: Wi-Fi Protected Network and Wi-Fi Protected Network 2 Information Disclosure Vulnerability
On February 26th, 2020, researchers Štefan Svorencík and Robert Lipovsky disclosed a vulnerability in the implementation of the wireless egress packet processing of certain Broadcom Wi-Fi chipsets. This vulnerability could allow an unauthenticated, adjacent attacker to decrypt Wi-Fi frames without the knowledge of the Wireless Protected Access (WPA) or Wireless Protected Access 2 (WPA2) Pairwise Temporal Key (PTK) used to secure the Wi-Fi network. The vulnerability exists because after an affected device handles a disassociation event it could send a limited number of Wi-Fi frames encrypted with a static, weak PTK. An attacker could exploit this vulnerability by acquiring these frames
No detection rules found.
No public exploits indexed.
https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aahttps://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73https://github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430https://github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aahttps://github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73
2020-07-22
Published