Input validation error in strapi.io strapi



Published: 2020-06-19 | Updated: 2020-08-08
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-13961
CWE-ID CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
strapi
Web applications / CMS

Vendor strapi.io

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Input validation error

EUVDB-ID: #VU34229

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-13961

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to manipulate data.

Strapi before 3.0.2 could allow a remote authenticated attacker to bypass security restrictions because templates are stored in a global variable without any sanitation. By sending a specially crafted request, an attacker could exploit this vulnerability to update the email template for both password reset and account confirmation emails.

Mitigation

Install update from vendor's website.

Vulnerable software versions

strapi: 3.0.0 - 3.0.1

External links

http://exchange.xforce.ibmcloud.com/vulnerabilities/183045
http://github.com/strapi/strapi/pull/6599
http://github.com/strapi/strapi/releases/tag/v3.0.2


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###