-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-008 Product: Strapi Content Management System Manufacturer: Strapi Affected Version(s): <= 3.6.0 Tested Version(s): 3.2.4, 3.5.1, 3.5.2, 3.6.0 Vulnerability Type: Unverified Password Change (CWE-620) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2021-03-08 Solution Date: tbd. Public Disclosure: 2021-04-26 CVE Reference: CVE-2021-28128 Author of Advisory: Jürgen Zöller, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Strapi CMS is a content management system (CMS) for websites based on Node.js. The manufacturer describes the product as follows (see [1]): "Strapi is the leading open-source headless CMS. It’s 100% Javascript, fully customizable and developer-first." Due to missing checks in the administration panel, Strapi is vulnerable to account hijacking once an attacker has gained access to a running user session. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: It is possible to change one's own password without having to enter the current password. An attacker who gains access to a valid session can use this to take over the account by changing the password. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. Log in to the administration panel. 2. Go to your own profile page. 3. Change the password for the account without entering your current password. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: There was no solution provided yet. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-02-26: Vulnerability discovered 2021-03-08: Vulnerability reported to manufacturer 2021-03-04: Public disclosure by manufacturer via GitHub issue [4] 2021-04-26: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Website for Strapi http://strapi.io [2] SySS Security Advisory SYSS-2021-008 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-008.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] GitHub Issue of the Vulnerability https://github.com/strapi/strapi/issues/9657 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Jürgen Zöller of SySS GmbH. E-Mail: juergen.zoeller@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Juergen_Zoeller.asc Key ID: 0x1BB923F45A84E219 Key Fingerprint: E25E DD82 760F 1E3C 5529 459A 1BB9 23F4 5A84 E219 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE4l7dgnYPHjxVKUWaG7kj9FqE4hkFAmCGdqkACgkQG7kj9FqE 4hn5eBAAmdeg46x+YDgoAJWJXhjg5pXAM76XWFq4I8T1jVAksavikkduxkJu3iwf 56F1VrbypB3g/81ZjkBWiPKSJGnvpE7GkW/cSP+Q+uo03mHR4M0GRjdz5GXahp9l bOY5Qt/Gfaqk4vC1s70ca+d01HV4kKJbiTgoHWsH0Xx+HVHY0g9wok7NwBfnRmd/ RKOZvvymcQJYJ2B8yBA5kCYTfhXI2Itd6eyPKP5nykpec92463Tpv/XhiLfFuKCP oTKOTIdl9ycE2wEy16HvHMnhIHdrYprVru9a8AdrVdB8A5YLcxFz/H4mIxRC/Bab jKxK0fX7Z1rwSXlkxgQ2NRtyb5Acf1EM6z1vjI+mFL9DG9ColgMro2gyjl6RvK3m sfT/Mc8oLPHaBjXhJsuhgHBLhAE8zHkya8EYjRGQtVxz3OsrcUNSI+nC1xxyxa7Y lI2haJoF4YiXQ5ZOrbUhiIpvjSfzIfBF/GNREXBzmxaixTs5v7IUkDYhVbFzbfvG bmiAlgB/wtXpgGOe0NSocxVWqElebNft6NJUEgwzZ0HhpFw45tfPDTgWt+4+ZTJ7 f4hFcZB4xPdyDS2T+ZHCB7ZtRVrYQq/Uv0xHlDAA5dH5ZZaFRKGaonFTLdm/urkU GEcB/x9vHjqOR1QLqkM50ccHyeXaanqIObQrku/wp24w7Wwinsg= =Vtws -----END PGP SIGNATURE-----