CVE-2021-28128

HIGH8.1EPSS 0.26%

Weak Password Recovery Mechanism for Forgotten Password in Strapi

發布日:2021/10/6修改日:2023/11/8

描述

In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password.

受影響套件(1)

npm/strapifrom 0, <= 3.6.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-28128
PATCHhttps://github.com/strapi/strapi
WEBhttps://github.com/strapi/strapi/issues/9657
WEBhttps://github.com/strapi/strapi/releases/tag/v3.6.0
WEBhttps://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-008.txt