parse@1.8.0-rc2 vulnerabilities

Parse JavaScript SDK

latest version

5.3.0
latest non vulnerable version

5.3.0
first published

12 years ago
latest version published

4 months ago
licenses detected
- BSD-3-Clause
  >=1.1.5 <4.0.0-alpha.8; >=4.0.0-beta.1 <4.0.1-beta.1
View parse package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the parse package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Insufficiently Protected Credentials parse is a library that gives you access to the powerful Parse Server backend from your JavaScript app. Affected versions of this package are vulnerable to Insufficiently Protected Credentials. The `setPassword` method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user's password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users > Signing Up, it clearly states, "We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext." PoC by Diamond Lewis and Colin Ulin `async () => { const user = Parse.User.current() if (user) { user.setPassword('newpass') await user.save() } }` After running the above code, the new password will be stored in localStorage as a property named "password". How to fix Insufficiently Protected Credentials? Upgrade `parse` to version 2.10.0 or higher.	<2.10.0

Insufficiently Protected Credentials

parse is a library that gives you access to the powerful Parse Server backend from your JavaScript app.

Affected versions of this package are vulnerable to Insufficiently Protected Credentials. The setPassword method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user's password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users > Signing Up, it clearly states, "We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext."

PoC by Diamond Lewis and Colin Ulin

async () => {
    const user = Parse.User.current()
    if (user) {
        user.setPassword('newpass')
        await user.save()
    }
}

After running the above code, the new password will be stored in localStorage as a property named "password".

How to fix Insufficiently Protected Credentials?

Upgrade parse to version 2.10.0 or higher.

<2.10.0

Go back to all versions of this package

parse@1.8.0-rc2 vulnerabilities

Parse JavaScript SDK

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

PoC by Diamond Lewis and Colin Ulin