CVE-2021-28128 – strapi

Package

Manager: npm
Name: strapi
Vulnerable Version: >=0 <=3.6.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00259 pctl0.49057

Details

Weak Password Recovery Mechanism for Forgotten Password in Strapi In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password.

Metadata

Created: 2021-10-06T17:48:16Z
Modified: 2021-10-06T14:09:30Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-37hx-4mcq-wc3h/GHSA-37hx-4mcq-wc3h.json
CWE IDs: ["CWE-640"]
Alternative ID: GHSA-37hx-4mcq-wc3h
Finding: F417
Auto approve: 1