CVE-2020-15270: Operation on a Resource after Expiration or Release

October 22, 2020 (updated October 30, 2020)

The Parse Server npm package broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. However, it is not possible to create subscription objects with invalid session tokens.

References

nvd.nist.gov/vuln/detail/CVE-2020-15270

Code Behaviors & Features

Detect and mitigate CVE-2020-15270 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →