Observable discrepancy in parse-server - #VU132205
Published: July 11, 2019 / Updated: May 23, 2026
Vulnerability identifier: #VU132205
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-203
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: MeetFox
Affected software:
parse-server
parse-server
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information about linked accounts and email addresses.
The vulnerability exists due to improper access control in the account linking functionality when handling account linking requests. A remote attacker can guess account identifiers and observe different error responses to disclose sensitive information about linked accounts and email addresses.
The issue arises because different errors are returned before insufficient authorization is checked.
Remediation
Install security update from vendor's website.