First published: Fri Jun 19 2020(Updated: )
Strapi before 3.0.2 could allow a remote authenticated attacker to bypass security restrictions because templates are stored in a global variable without any sanitation. By sending a specially crafted request, an attacker could exploit this vulnerability to update the email template for both password reset and account confirmation emails.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Strapi Strapi | <3.0.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-13961 is a vulnerability in the Strapi CMS before version 3.0.2 that could allow a remote authenticated attacker to bypass security restrictions.
CVE-2020-13961 works by exploiting the fact that templates in Strapi are stored in a global variable without any sanitation, allowing an authenticated attacker to update email templates.
The severity of CVE-2020-13961 is medium, with a severity value of 6.5.
To fix CVE-2020-13961, you should upgrade to Strapi version 3.0.2 or later, which includes a fix for this vulnerability.
CWE-20 is a Common Weakness Enumeration category that refers to Improper Input Validation vulnerabilities.