Input validation error in strapi

#VU34229 Input validation error in strapi

Published: 2020-06-19 | Updated: 2020-08-08

Vulnerability identifier: #VU34229

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-13961

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
strapi
Web applications / CMS

Vendor: strapi.io

Description

The vulnerability allows a remote authenticated user to manipulate data.

Strapi before 3.0.2 could allow a remote authenticated attacker to bypass security restrictions because templates are stored in a global variable without any sanitation. By sending a specially crafted request, an attacker could exploit this vulnerability to update the email template for both password reset and account confirmation emails.

Mitigation
Install update from vendor's website.

Vulnerable software versions

strapi: 3.0.0 - 3.0.1

External links
http://exchange.xforce.ibmcloud.com/vulnerabilities/183045
http://github.com/strapi/strapi/pull/6599
http://github.com/strapi/strapi/releases/tag/v3.0.2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Input validation error in strapi.io strapi