Описание
Weak Password Recovery Mechanism for Forgotten Password in Strapi
In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password.
Пакеты
Наименование
strapi
npm
Затронутые версииВерсия исправления
<= 3.6.0
Отсутствует
Связанные уязвимости
CVSS3: 8.1
nvd
почти 5 лет назад
In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password.