GHSA-wvh7-5p38-2qfc – parse

Package

Manager: npm
Name: parse
Vulnerable Version: >=0 <2.10.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Storing Password in Local Storage The `setPassword` method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user's password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users > Signing Up, it clearly states, "We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext." Example Code: ```js async () => { const user = Parse.User.current() if (user) { user.setPassword('newpass') await user.save() } } ``` After running the above code, the new password will be stored in localStorage as a property named "password". Proposed Solution: Before saving anything to localStorage, Parse should strip out any properties named "password" that are attempting to be stored with a Parse.User type object. Configuration: Parse SDK: 2.9.1 Parse Server: 3.9.0

Metadata

Created: 2020-07-23T18:20:10Z
Modified: 2021-09-22T21:05:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-wvh7-5p38-2qfc/GHSA-wvh7-5p38-2qfc.json
CWE IDs: ["CWE-256"]
Alternative ID: N/A
Finding: F085
Auto approve: 1