CVE-2021-28128

HIGH8.1EPSS 0.26%

Weak Password Recovery Mechanism for Forgotten Password in Strapi

Published: 10/6/2021Modified: 11/8/2023

Description

In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password.

Affected packages (1)

npm/strapifrom 0, <= 3.6.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-28128
PATCHhttps://github.com/strapi/strapi
WEBhttps://github.com/strapi/strapi/issues/9657
WEBhttps://github.com/strapi/strapi/releases/tag/v3.6.0
WEBhttps://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-008.txt