Main Vulnerability Database Exploits ID:10179 - Exploit for Weak Password Recovery Mechanism for Forgotten Password in strapi - CVE-2019-18818

ID:10179 - Exploit for Weak Password Recovery Mechanism for Forgotten Password in strapi - CVE-2019-18818

Published: July 5, 2024

Vulnerability identifier: #VU22788

Vulnerability risk: High

CVE-ID: CVE-2019-18818

CWE-ID: CWE-640

Exploitation vector: Remote access

Vulnerable software:
strapi

Link to public exploit:

https://github.com/Hackhoven/Strapi-RCE

Vulnerability description

The vulnerability allows a remote attacker to reset an admin's password.

The vulnerability exists due to the affected software mishandles password resets within "packages/strapi-admin/controllers/Auth.js" and "packages/strapi-plugin-users-permissions/controllers/Auth.js". A remote attacker can use the password reset routes to reset an admin's password without providing a valid password reset token.

Remediation

Install updates from vendor's website.

ID:10179 - Exploit for Weak Password Recovery Mechanism for Forgotten Password in strapi - CVE-2019-18818

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human