GHSA-WVH7-5P38-2QFC
Vulnerability from github – Published: 2020-07-23 18:20 – Updated: 2021-09-22 21:05The setPassword method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user's password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users > Signing Up, it clearly states, "We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext."
Example Code:
async () => {
const user = Parse.User.current()
if (user) {
user.setPassword('newpass')
await user.save()
}
}
After running the above code, the new password will be stored in localStorage as a property named "password".
Proposed Solution: Before saving anything to localStorage, Parse should strip out any properties named "password" that are attempting to be stored with a Parse.User type object.
Configuration: Parse SDK: 2.9.1 Parse Server: 3.9.0
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": true,
"github_reviewed_at": "2020-07-23T18:18:24Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The `setPassword` method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user\u0027s password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users \u003e Signing Up, it clearly states, \"We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext.\"\n\nExample Code:\n```js\nasync () =\u003e {\n const user = Parse.User.current()\n if (user) {\n user.setPassword(\u0027newpass\u0027)\n await user.save()\n }\n}\n```\nAfter running the above code, the new password will be stored in localStorage as a property named \"password\".\n\nProposed Solution:\nBefore saving anything to localStorage, Parse should strip out any properties named \"password\" that are attempting to be stored with a Parse.User type object.\n\nConfiguration:\nParse SDK: 2.9.1\nParse Server: 3.9.0",
"id": "GHSA-wvh7-5p38-2qfc",
"modified": "2021-09-22T21:05:43Z",
"published": "2020-07-23T18:20:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/Parse-SDK-JS/security/advisories/GHSA-wvh7-5p38-2qfc"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/Parse-SDK-JS/commit/d1106174571b699f972929dd7cbb8e45b5283cbb"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/Parse-SDK-JS"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Storing Password in Local Storage"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.