Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zN2h4LTRtY3Etd2MzaM0WMQ
Weak Password Recovery Mechanism for Forgotten Password in Strapi
In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password.
Permalink: https://github.com/advisories/GHSA-37hx-4mcq-wc3hJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zN2h4LTRtY3Etd2MzaM0WMQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Percentage: 0.00251
EPSS Percentile: 0.64165
Identifiers: GHSA-37hx-4mcq-wc3h, CVE-2021-28128
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-28128
- https://github.com/strapi/strapi/issues/9657
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-008.txt
- https://github.com/strapi/strapi/releases/tag/v3.6.0
- https://github.com/advisories/GHSA-37hx-4mcq-wc3h
Blast Radius: 29.3
Affected Packages
npm:strapi
Dependent packages: 25Dependent repositories: 4,153
Downloads: 39,195 last month
Affected Version Ranges: <= 3.6.0
No known fixed version
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 2.0.1, 2.0.2, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.6.0