Password Change Vulnerability in Strapi Admin Panel
CVE-2021-28128

8.1HIGH

Key Information:

Vendor

Strapi

Status
Strapi
Vendor
CVE Published:
6 May 2021

What is CVE-2021-28128?

A security flaw in Strapi through version 3.6.0 allows users to change their passwords without entering their current password in the admin panel. This oversight can be exploited by an attacker who has obtained a valid session, enabling them to take control of a user's account by altering the password without authorization. It is crucial for users to be aware of this risk and to implement safe practices such as session monitoring and access controls to protect sensitive accounts.

References

https://github.com/strapi/strapi/releases
x_refsource_MISC
https://strapi.io/changelog
x_refsource_MISC
https://www.syss.de/fileadmin/dokumente/Publikationen/Adv...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.