CVE-2020-26288 – parse-server

Package

Manager: npm
Name: parse-server
Vulnerable Version: >=0 <4.5.0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

EPSS: 0.00163 pctl0.37771

Details

Parse Server stores password in plain text Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage.

Metadata

Created: 2020-12-28T16:33:17Z
Modified: 2021-01-07T22:32:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/12/GHSA-4w46-w44m-3jq3/GHSA-4w46-w44m-3jq3.json
CWE IDs: ["CWE-312"]
Alternative ID: GHSA-4w46-w44m-3jq3
Finding: F020
Auto approve: 1