Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for saleor-storefront by mirumee

    CVE-2020-15085 (GCVE-0-2020-15085)

    Vulnerability from nvd – Published: 2020-06-30 16:25 – Updated: 2024-08-04 13:08
    VLAI
    Title
    Client caching login operation with plaintext password in Saleor Storefront
    Summary
    In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser's local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password. In versions prior to 2.10.0 persisted the cache even after the user logged out. This is fixed in version 2.10.3. A workaround is to manually clear application data (browser's local storage) after logging into Saleor Storefront.
    CWE
    • CWE-312 - Cleartext Storage of Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    mirumee saleor-storefront Affected: < 2.10.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T13:08:22.044Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/mirumee/saleor-storefront/security/advisories/GHSA-4279-h39w-2jqm"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/mirumee/saleor-storefront/blob/master/CHANGELOG.md#2103"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/mirumee/saleor-storefront/commit/7c331e1be805022c9a7be719bd69d050b2577458"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "saleor-storefront",
              "vendor": "mirumee",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.10.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser\u0027s local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password. In versions prior to 2.10.0 persisted the cache even after the user logged out. This is fixed in version 2.10.3. A workaround is to manually clear application data (browser\u0027s local storage) after logging into Saleor Storefront."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-312",
                  "description": "CWE-312 Cleartext Storage of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-06-30T16:25:13.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/mirumee/saleor-storefront/security/advisories/GHSA-4279-h39w-2jqm"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mirumee/saleor-storefront/blob/master/CHANGELOG.md#2103"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mirumee/saleor-storefront/commit/7c331e1be805022c9a7be719bd69d050b2577458"
            }
          ],
          "source": {
            "advisory": "GHSA-4279-h39w-2jqm",
            "discovery": "UNKNOWN"
          },
          "title": "Client caching login operation with plaintext password in Saleor Storefront",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2020-15085",
              "STATE": "PUBLIC",
              "TITLE": "Client caching login operation with plaintext password in Saleor Storefront"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "saleor-storefront",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 2.10.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "mirumee"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser\u0027s local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password. In versions prior to 2.10.0 persisted the cache even after the user logged out. This is fixed in version 2.10.3. A workaround is to manually clear application data (browser\u0027s local storage) after logging into Saleor Storefront."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-312 Cleartext Storage of Sensitive Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/mirumee/saleor-storefront/security/advisories/GHSA-4279-h39w-2jqm",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/mirumee/saleor-storefront/security/advisories/GHSA-4279-h39w-2jqm"
                },
                {
                  "name": "https://github.com/mirumee/saleor-storefront/blob/master/CHANGELOG.md#2103",
                  "refsource": "MISC",
                  "url": "https://github.com/mirumee/saleor-storefront/blob/master/CHANGELOG.md#2103"
                },
                {
                  "name": "https://github.com/mirumee/saleor-storefront/commit/7c331e1be805022c9a7be719bd69d050b2577458",
                  "refsource": "MISC",
                  "url": "https://github.com/mirumee/saleor-storefront/commit/7c331e1be805022c9a7be719bd69d050b2577458"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-4279-h39w-2jqm",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2020-15085",
        "datePublished": "2020-06-30T16:25:13.000Z",
        "dateReserved": "2020-06-25T00:00:00.000Z",
        "dateUpdated": "2024-08-04T13:08:22.044Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-15085 (GCVE-0-2020-15085)

    Vulnerability from cvelistv5 – Published: 2020-06-30 16:25 – Updated: 2024-08-04 13:08
    VLAI
    Title
    Client caching login operation with plaintext password in Saleor Storefront
    Summary
    In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser's local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password. In versions prior to 2.10.0 persisted the cache even after the user logged out. This is fixed in version 2.10.3. A workaround is to manually clear application data (browser's local storage) after logging into Saleor Storefront.
    CWE
    • CWE-312 - Cleartext Storage of Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    mirumee saleor-storefront Affected: < 2.10.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T13:08:22.044Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/mirumee/saleor-storefront/security/advisories/GHSA-4279-h39w-2jqm"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/mirumee/saleor-storefront/blob/master/CHANGELOG.md#2103"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/mirumee/saleor-storefront/commit/7c331e1be805022c9a7be719bd69d050b2577458"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "saleor-storefront",
              "vendor": "mirumee",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.10.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser\u0027s local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password. In versions prior to 2.10.0 persisted the cache even after the user logged out. This is fixed in version 2.10.3. A workaround is to manually clear application data (browser\u0027s local storage) after logging into Saleor Storefront."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-312",
                  "description": "CWE-312 Cleartext Storage of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-06-30T16:25:13.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/mirumee/saleor-storefront/security/advisories/GHSA-4279-h39w-2jqm"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mirumee/saleor-storefront/blob/master/CHANGELOG.md#2103"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mirumee/saleor-storefront/commit/7c331e1be805022c9a7be719bd69d050b2577458"
            }
          ],
          "source": {
            "advisory": "GHSA-4279-h39w-2jqm",
            "discovery": "UNKNOWN"
          },
          "title": "Client caching login operation with plaintext password in Saleor Storefront",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2020-15085",
              "STATE": "PUBLIC",
              "TITLE": "Client caching login operation with plaintext password in Saleor Storefront"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "saleor-storefront",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 2.10.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "mirumee"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser\u0027s local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password. In versions prior to 2.10.0 persisted the cache even after the user logged out. This is fixed in version 2.10.3. A workaround is to manually clear application data (browser\u0027s local storage) after logging into Saleor Storefront."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-312 Cleartext Storage of Sensitive Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/mirumee/saleor-storefront/security/advisories/GHSA-4279-h39w-2jqm",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/mirumee/saleor-storefront/security/advisories/GHSA-4279-h39w-2jqm"
                },
                {
                  "name": "https://github.com/mirumee/saleor-storefront/blob/master/CHANGELOG.md#2103",
                  "refsource": "MISC",
                  "url": "https://github.com/mirumee/saleor-storefront/blob/master/CHANGELOG.md#2103"
                },
                {
                  "name": "https://github.com/mirumee/saleor-storefront/commit/7c331e1be805022c9a7be719bd69d050b2577458",
                  "refsource": "MISC",
                  "url": "https://github.com/mirumee/saleor-storefront/commit/7c331e1be805022c9a7be719bd69d050b2577458"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-4279-h39w-2jqm",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2020-15085",
        "datePublished": "2020-06-30T16:25:13.000Z",
        "dateReserved": "2020-06-25T00:00:00.000Z",
        "dateUpdated": "2024-08-04T13:08:22.044Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }