Description
The setPassword method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user’s password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all.
Recommendation
Update the parse package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.10.0
- Patched version(s): 2.10.0
References
Related Issues
- Parse Server option `masterKeyIps` vulnerability to IP spoofing - CVE-2023-22474
- Redwood is vulnerable to account takeover via dbAuth "forgot-password - Vulnerability
- Gatsby develop server has Local File Inclusion vulnerability - CVE-2023-34238
- CouchAuth host header injection vulnerability leaks the password reset token - CVE-2023-39655
- Tags:
- npm
- parse
Anything's wrong? Let us know Last updated on January 09, 2023