CVE-2020-5251

Name of the Vulnerable Software and Affected Versions parser-server versions prior to 4.1.0

Description The issue allows fetching all user objects by utilizing regex in the NoSQL query, specifically targeting the sessionToken. This can be achieved through the API endpoint "/parse/users/me" by using a regex on the sessionToken variable, such as " SessionToken":{"$regex":"r:027f"}. Additionally, similar vulnerabilities exist in the verify email and request password reset functionalities, where an attacker can use regex in the token parameter to verify an account or reset a password, for example, by accessing the endpoint http://localhost:1337/parse/apps/kickbox/verify email?token[$regex]=a&username=some@email.com or http://localhost:1337/parse/apps/kickbox/request password reset?token[$regex]=a&username=some@email.com. This method enables retrieval of accounts without user interaction.

Recommendations For parser-server versions prior to 4.1.0, update to version 4.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the NoSQL query functionality and limiting the use of regex on the sessionToken variable until a patch is applied. Additionally, restrict access to the verify email and request password reset endpoints to minimize the risk of exploitation.