Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS0zN2h4LTRtY3Etd2MzaM0WMQ

High EPSS: 0.00259% (0.49069 Percentile) EPSS:
Permalink JSON

Weak Password Recovery Mechanism for Forgotten Password in Strapi

Affected Packages Affected Versions Fixed Versions
npm:strapi <= 3.6.0 No known fixed version
25 Dependent packages
4,153 Dependent repositories
36,596 Downloads last month

Affected Version Ranges

All affected versions

1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 2.0.1, 2.0.2, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.6.0

In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password.

References:

Identifiers

GHSA-37hx-4mcq-wc3h

CVE-2021-28128

Risk

Severity

High

EPSS

EPSS Percentage: 0.00259

EPSS Percentile: 0.49069

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/strapi/strapi

Date and time

Published

almost 4 years ago

Updated

almost 2 years ago

API

JSON