CVE-2019-18818
Severity CVSS v4.0:
Pending analysis
Type:
CWE-640
Weak Password Recovery Mechanism for Forgotten Password
Publication date:
07/11/2019
Last modified:
20/02/2022
Description
strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Base Score 2.0
7.50
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:* | 1.6.4 (including) | |
| cpe:2.3:a:strapi:strapi:3.0.0:alpha10.1:*:*:*:*:*:* | ||
| cpe:2.3:a:strapi:strapi:3.0.0:alpha10.2:*:*:*:*:*:* | ||
| cpe:2.3:a:strapi:strapi:3.0.0:alpha10.3:*:*:*:*:*:* | ||
| cpe:2.3:a:strapi:strapi:3.0.0:alpha11:*:*:*:*:*:* | ||
| cpe:2.3:a:strapi:strapi:3.0.0:alpha11.1:*:*:*:*:*:* | ||
| cpe:2.3:a:strapi:strapi:3.0.0:alpha11.2:*:*:*:*:*:* | ||
| cpe:2.3:a:strapi:strapi:3.0.0:alpha11.3:*:*:*:*:*:* | ||
| cpe:2.3:a:strapi:strapi:3.0.0:alpha12:*:*:*:*:*:* | ||
| cpe:2.3:a:strapi:strapi:3.0.0:alpha12.1:*:*:*:*:*:* | ||
| cpe:2.3:a:strapi:strapi:3.0.0:alpha12.1.3:*:*:*:*:*:* | ||
| cpe:2.3:a:strapi:strapi:3.0.0:alpha12.2:*:*:*:*:*:* | ||
| cpe:2.3:a:strapi:strapi:3.0.0:alpha12.3:*:*:*:*:*:* | ||
| cpe:2.3:a:strapi:strapi:3.0.0:alpha12.4:*:*:*:*:*:* | ||
| cpe:2.3:a:strapi:strapi:3.0.0:alpha12.5:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://packetstormsecurity.com/files/163939/Strapi-3.0.0-beta-Authentication-Bypass.html
- http://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/165896/Strapi-CMS-3.0.0-beta.17.4-Privilege-Escalation.html
- https://github.com/strapi/strapi/pull/4443
- https://github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.5
- https://www.npmjs.com/advisories/1311