CVE-2019-18818

Current Description

strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.

Basic Data

PublishedNovember 07, 2019
Last ModifiedNovember 13, 2019
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-640
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score5.0
SeverityMEDIUM
Exploitability Score10.0
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationStrapiStrapi********1.6.4
    2.3ApplicationStrapiStrapi3.0.0alpha10.1******
    2.3ApplicationStrapiStrapi3.0.0alpha10.2******
    2.3ApplicationStrapiStrapi3.0.0alpha10.3******
    2.3ApplicationStrapiStrapi3.0.0alpha11******
    2.3ApplicationStrapiStrapi3.0.0alpha11.1******
    2.3ApplicationStrapiStrapi3.0.0alpha11.2******
    2.3ApplicationStrapiStrapi3.0.0alpha11.3******
    2.3ApplicationStrapiStrapi3.0.0alpha12******
    2.3ApplicationStrapiStrapi3.0.0alpha12.1******
    2.3ApplicationStrapiStrapi3.0.0alpha12.1.3******
    2.3ApplicationStrapiStrapi3.0.0alpha12.2******
    2.3ApplicationStrapiStrapi3.0.0alpha12.3******
    2.3ApplicationStrapiStrapi3.0.0alpha12.4******
    2.3ApplicationStrapiStrapi3.0.0alpha12.5******
    2.3ApplicationStrapiStrapi3.0.0alpha12.6******
    2.3ApplicationStrapiStrapi3.0.0alpha12.7******
    2.3ApplicationStrapiStrapi3.0.0alpha12.7.1******
    2.3ApplicationStrapiStrapi3.0.0alpha13******
    2.3ApplicationStrapiStrapi3.0.0alpha13.0.1******
    2.3ApplicationStrapiStrapi3.0.0alpha13.1******
    2.3ApplicationStrapiStrapi3.0.0alpha14******
    2.3ApplicationStrapiStrapi3.0.0alpha14.1******
    2.3ApplicationStrapiStrapi3.0.0alpha14.1.1******
    2.3ApplicationStrapiStrapi3.0.0alpha14.2******
    2.3ApplicationStrapiStrapi3.0.0alpha14.3******
    2.3ApplicationStrapiStrapi3.0.0alpha14.4.0******
    2.3ApplicationStrapiStrapi3.0.0alpha14.5******
    2.3ApplicationStrapiStrapi3.0.0alpha15******
    2.3ApplicationStrapiStrapi3.0.0alpha16******
    2.3ApplicationStrapiStrapi3.0.0alpha17******
    2.3ApplicationStrapiStrapi3.0.0alpha18******
    2.3ApplicationStrapiStrapi3.0.0alpha19******
    2.3ApplicationStrapiStrapi3.0.0alpha20******
    2.3ApplicationStrapiStrapi3.0.0alpha21******
    2.3ApplicationStrapiStrapi3.0.0alpha22******
    2.3ApplicationStrapiStrapi3.0.0alpha23******
    2.3ApplicationStrapiStrapi3.0.0alpha23.1******
    2.3ApplicationStrapiStrapi3.0.0alpha24******
    2.3ApplicationStrapiStrapi3.0.0alpha24.1******
    2.3ApplicationStrapiStrapi3.0.0alpha25******
    2.3ApplicationStrapiStrapi3.0.0alpha25.1******
    2.3ApplicationStrapiStrapi3.0.0alpha25.2******
    2.3ApplicationStrapiStrapi3.0.0alpha26******
    2.3ApplicationStrapiStrapi3.0.0alpha26.1******
    2.3ApplicationStrapiStrapi3.0.0alpha26.2******
    2.3ApplicationStrapiStrapi3.0.0alpha4******
    2.3ApplicationStrapiStrapi3.0.0alpha4.8******
    2.3ApplicationStrapiStrapi3.0.0alpha5.3******
    2.3ApplicationStrapiStrapi3.0.0alpha5.5******
    2.3ApplicationStrapiStrapi3.0.0alpha6.3******
    2.3ApplicationStrapiStrapi3.0.0alpha6.4******
    2.3ApplicationStrapiStrapi3.0.0alpha6.7******
    2.3ApplicationStrapiStrapi3.0.0alpha7.2******
    2.3ApplicationStrapiStrapi3.0.0alpha7.3******
    2.3ApplicationStrapiStrapi3.0.0alpha8******
    2.3ApplicationStrapiStrapi3.0.0alpha8.3******
    2.3ApplicationStrapiStrapi3.0.0alpha9******
    2.3ApplicationStrapiStrapi3.0.0alpha9.1******
    2.3ApplicationStrapiStrapi3.0.0alpha9.2******
    2.3ApplicationStrapiStrapi3.0.0beta0******
    2.3ApplicationStrapiStrapi3.0.0beta1******
    2.3ApplicationStrapiStrapi3.0.0beta10******
    2.3ApplicationStrapiStrapi3.0.0beta11******
    2.3ApplicationStrapiStrapi3.0.0beta12******
    2.3ApplicationStrapiStrapi3.0.0beta13******
    2.3ApplicationStrapiStrapi3.0.0beta14******
    2.3ApplicationStrapiStrapi3.0.0beta15******
    2.3ApplicationStrapiStrapi3.0.0beta16******
    2.3ApplicationStrapiStrapi3.0.0beta16.1******
    2.3ApplicationStrapiStrapi3.0.0beta16.2******
    2.3ApplicationStrapiStrapi3.0.0beta16.3******
    2.3ApplicationStrapiStrapi3.0.0beta16.4******
    2.3ApplicationStrapiStrapi3.0.0beta16.5******
    2.3ApplicationStrapiStrapi3.0.0beta16.6******
    2.3ApplicationStrapiStrapi3.0.0beta16.7******
    2.3ApplicationStrapiStrapi3.0.0beta16.8******
    2.3ApplicationStrapiStrapi3.0.0beta17******
    2.3ApplicationStrapiStrapi3.0.0beta17.1******
    2.3ApplicationStrapiStrapi3.0.0beta17.2******
    2.3ApplicationStrapiStrapi3.0.0beta17.3******
    2.3ApplicationStrapiStrapi3.0.0beta17.4******
    2.3ApplicationStrapiStrapi3.0.0beta2******
    2.3ApplicationStrapiStrapi3.0.0beta3******
    2.3ApplicationStrapiStrapi3.0.0beta4******
    2.3ApplicationStrapiStrapi3.0.0beta5******
    2.3ApplicationStrapiStrapi3.0.0beta6******
    2.3ApplicationStrapiStrapi3.0.0beta7******
    2.3ApplicationStrapiStrapi3.0.0beta8******
    2.3ApplicationStrapiStrapi3.0.0beta9******

Vulnerable Software List

VendorProductVersions
Strapi Strapi *, 3.0.0

References

NameSourceURLTags
https://github.com/strapi/strapi/pull/4443https://github.com/strapi/strapi/pull/4443MISCThird Party Advisory
https://github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.5https://github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.5MISCRelease Notes Third Party Advisory
https://www.npmjs.com/advisories/1311https://www.npmjs.com/advisories/1311MISCThird Party Advisory