CVE-2019-18818 Scanner
Detects 'Unauthenticated Admin Password Reset' vulnerability in Strapi affects v. before 3.0.0-beta.17.5.
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 sec
Scan only one
Domain, Ipv4
Toolbox
-
Strapi is an open-source headless CMS (Content Management System) which is used for the development of serverless CMS-based web applications. Developers use Strapi for creating their own personalized content management system. It is easy to use, highly customizable, and efficient. The platform uses APIs to let businesses build custom solutions and deliver personalized user experiences.
CVE-2019-18818 is a vulnerability that was detected in Strapi before 3.0.0-beta.17.5. The vulnerability is related to password resets in packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js. Simply put, in outdated versions of Strapi, these controllers mishandled password resets and failed to securely carry out the operation. As a result, they have opened up an issue of concern.
When exploited, the CVE-2019-18818 vulnerability in Strapi can lead to the takeover of user accounts, giving malicious hackers access to confidential or personal data. By gaining access via password resets, unauthorized personnel can potentially perform any action permitted to the user, and thus potentially causing great harm. This vulnerability creates an opportunity for cybercriminals to launch various attacks including, spear-phishing, credentials stealing, identity theft and data breaches.
In conclusion, Security For Everyone offers a vital platform for organizations or individuals to discover potential vulnerabilities in their digital assets easily and quickly. By subscribing to the pro features of this platform, customers can stay ahead of cybercriminals and mitigate the risk of loss of confidential or personal data. Stay safe by being proactive on digital asset security.
REFERENCES
- http://packetstormsecurity.com/files/163939/Strapi-3.0.0-beta-Authentication-Bypass.html
- http://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/165896/Strapi-CMS-3.0.0-beta.17.4-Privilege-Escalation.html
- https://github.com/strapi/strapi/pull/4443
- https://github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.5
- https://www.npmjs.com/advisories/1311
control security posture