CVE-2019-18818 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Vendor	Product	Version
strapi	strapi	𝑥 ≤ 1.6.4
strapi	strapi	3.0.0:alpha10.1
strapi	strapi	3.0.0:alpha10.2
strapi	strapi	3.0.0:alpha10.3
strapi	strapi	3.0.0:alpha11
strapi	strapi	3.0.0:alpha11.1
strapi	strapi	3.0.0:alpha11.2
strapi	strapi	3.0.0:alpha11.3
strapi	strapi	3.0.0:alpha12
strapi	strapi	3.0.0:alpha12.1
strapi	strapi	3.0.0:alpha12.1.3
strapi	strapi	3.0.0:alpha12.2
strapi	strapi	3.0.0:alpha12.3
strapi	strapi	3.0.0:alpha12.4
strapi	strapi	3.0.0:alpha12.5
strapi	strapi	3.0.0:alpha12.6
strapi	strapi	3.0.0:alpha12.7
strapi	strapi	3.0.0:alpha12.7.1
strapi	strapi	3.0.0:alpha13
strapi	strapi	3.0.0:alpha13.0.1
strapi	strapi	3.0.0:alpha13.1
strapi	strapi	3.0.0:alpha14
strapi	strapi	3.0.0:alpha14.1
strapi	strapi	3.0.0:alpha14.1.1
strapi	strapi	3.0.0:alpha14.2
strapi	strapi	3.0.0:alpha14.3
strapi	strapi	3.0.0:alpha14.4.0
strapi	strapi	3.0.0:alpha14.5
strapi	strapi	3.0.0:alpha15
strapi	strapi	3.0.0:alpha16
strapi	strapi	3.0.0:alpha17
strapi	strapi	3.0.0:alpha18
strapi	strapi	3.0.0:alpha19
strapi	strapi	3.0.0:alpha20
strapi	strapi	3.0.0:alpha21
strapi	strapi	3.0.0:alpha22
strapi	strapi	3.0.0:alpha23
strapi	strapi	3.0.0:alpha23.1
strapi	strapi	3.0.0:alpha24
strapi	strapi	3.0.0:alpha24.1
strapi	strapi	3.0.0:alpha25
strapi	strapi	3.0.0:alpha25.1
strapi	strapi	3.0.0:alpha25.2
strapi	strapi	3.0.0:alpha26
strapi	strapi	3.0.0:alpha26.1
strapi	strapi	3.0.0:alpha26.2
strapi	strapi	3.0.0:alpha4
strapi	strapi	3.0.0:alpha4.8
strapi	strapi	3.0.0:alpha5.3
strapi	strapi	3.0.0:alpha5.5
strapi	strapi	3.0.0:alpha6.3
strapi	strapi	3.0.0:alpha6.4
strapi	strapi	3.0.0:alpha6.7
strapi	strapi	3.0.0:alpha7.2
strapi	strapi	3.0.0:alpha7.3
strapi	strapi	3.0.0:alpha8
strapi	strapi	3.0.0:alpha8.3
strapi	strapi	3.0.0:alpha9
strapi	strapi	3.0.0:alpha9.1
strapi	strapi	3.0.0:alpha9.2
strapi	strapi	3.0.0:beta0
strapi	strapi	3.0.0:beta1
strapi	strapi	3.0.0:beta10
strapi	strapi	3.0.0:beta11
strapi	strapi	3.0.0:beta12
strapi	strapi	3.0.0:beta13
strapi	strapi	3.0.0:beta14
strapi	strapi	3.0.0:beta15
strapi	strapi	3.0.0:beta16
strapi	strapi	3.0.0:beta16.1
strapi	strapi	3.0.0:beta16.2
strapi	strapi	3.0.0:beta16.3
strapi	strapi	3.0.0:beta16.4
strapi	strapi	3.0.0:beta16.5
strapi	strapi	3.0.0:beta16.6
strapi	strapi	3.0.0:beta16.7
strapi	strapi	3.0.0:beta16.8
strapi	strapi	3.0.0:beta17
strapi	strapi	3.0.0:beta17.1
strapi	strapi	3.0.0:beta17.2
strapi	strapi	3.0.0:beta17.3
strapi	strapi	3.0.0:beta17.4
strapi	strapi	3.0.0:beta2
strapi	strapi	3.0.0:beta3
strapi	strapi	3.0.0:beta4
strapi	strapi	3.0.0:beta5
strapi	strapi	3.0.0:beta6
strapi	strapi	3.0.0:beta7
strapi	strapi	3.0.0:beta8
strapi	strapi	3.0.0:beta9

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

References

http://packetstormsecurity.com/files/163939/Strapi-3.0.0-beta-Authentication-Bypass.html

http://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.html

http://packetstormsecurity.com/files/165896/Strapi-CMS-3.0.0-beta.17.4-Privilege-Escalation.html

https://github.com/strapi/strapi/pull/4443

https://github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.5

https://www.npmjs.com/advisories/1311

http://packetstormsecurity.com/files/163939/Strapi-3.0.0-beta-Authentication-Bypass.html

http://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.html

http://packetstormsecurity.com/files/165896/Strapi-CMS-3.0.0-beta.17.4-Privilege-Escalation.html

https://github.com/strapi/strapi/pull/4443

https://github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.5

https://www.npmjs.com/advisories/1311