CVE-2020-15085

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-15085
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-15085.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-15085
Related
  • GHSA-4279-h39w-2jqm
Published
2020-06-30T17:15:10Z
Modified
2025-01-08T10:27:28.075154Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
Summary
[none]
Details

In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser's local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password. In versions prior to 2.10.0 persisted the cache even after the user logged out. This is fixed in version 2.10.3. A workaround is to manually clear application data (browser's local storage) after logging into Saleor Storefront.

References

Affected packages

Git / github.com/mirumee/saleor-storefront

Affected ranges

Type
GIT
Repo
https://github.com/mirumee/saleor-storefront
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
GIT
Repo
https://github.com/saleor/saleor-storefront
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

2.*

2.10.0
2.10.0-rc.1
2.10.0-rc.2
2.10.1
2.10.2

v0.*

v0.1.0b1
v0.2.0
v0.2.0b1
v0.2.0b2
v0.2.0b3
v0.3.0
v0.4.0
v0.4.0b1
v0.5.0
v0.5.1
v0.6.0
v0.7.0