Description
The setPassword method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user’s password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all.
Recommendation
Update the parse package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.10.0
- Patched version(s): 2.10.0
References
Related Issues
- Gatsby develop server has Local File Inclusion vulnerability - CVE-2023-34238
- Redwood is vulnerable to account takeover via dbAuth "forgot-password - Vulnerability
- CouchAuth host header injection vulnerability leaks the password reset token - CVE-2023-39655
- ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability - CVE-2024-39309
- Tags:
- npm
- parse
Anything's wrong? Let us know Last updated on January 09, 2023