Name of the Vulnerable Software and Affected Versions Parse SDK versions 2.9.1 Parse Server versions 3.9.0

Description The issue arises from the setPassword method, which stores a user's password in localStorage as raw text, making it accessible to anyone with access to the localStorage. This contradicts the documentation, which states that passwords are never stored in plaintext. The password is stored as a property named "password" in localStorage after the setPassword method is called and the changes are saved.

Recommendations For Parse SDK version 2.9.1, consider modifying the setPassword method to strip out any properties named password before saving the user object to localStorage. For Parse Server version 3.9.0, ensure that the server configuration does not store or transmit passwords in plaintext, and review client-side implementations to prevent similar storage in localStorage. As a temporary workaround, consider disabling the setPassword method until a patch is available that properly handles password storage.