Main Vulnerability Database Vulnerabilities #VU34229

#VU34229 Input validation error in strapi - CVE-2020-13961

Published: June 19, 2020 / Updated: August 8, 2020

Vulnerability identifier: #VU34229

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2020-13961

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
strapi

Software vendor:
strapi.io

Description

The vulnerability allows a remote authenticated user to manipulate data.

Strapi before 3.0.2 could allow a remote authenticated attacker to bypass security restrictions because templates are stored in a global variable without any sanitation. By sending a specially crafted request, an attacker could exploit this vulnerability to update the email template for both password reset and account confirmation emails.

Remediation

Install update from vendor's website.

External links

https://exchange.xforce.ibmcloud.com/vulnerabilities/183045
https://github.com/strapi/strapi/pull/6599
https://github.com/strapi/strapi/releases/tag/v3.0.2

#VU34229 Input validation error in strapi - CVE-2020-13961

Description

Remediation

External links

Please verify you're human