CVE-2021-28128 Vulnerability in npm package strapi

Description

In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password.

Remediation

References

https://github.com/strapi/strapi/releases

https://strapi.io/changelog

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-008.txt

Related Vulnerabilities

CVE-2022-25872 Vulnerability in npm package fast-string-search

CVE-2020-6464 Vulnerability in npm package electron

CVE-2020-7679 Vulnerability in npm package casperjs

CVE-2022-24999 Vulnerability in maven package org.webjars.bower:qs

CVE-2021-25738 Vulnerability in maven package io.kubernetes:client-java-parent

Severity

Critical

Classification

CWE-640 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N