CVE-2020-27665: Improper Authorization in Strapi
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.52237%
CWE
Published
10/29/2020
Updated
9/13/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
strapi-plugin-content-type-builder | npm | < 3.2.5 | 3.2.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from missing admin::hasPermissions
policies in CTB route configurations. The commit diff shows these handlers in routes.json
lacked authorization checks before 3.2.5. Each listed function
corresponds to a route handler that was vulnerable due to absent permission validation
, as evidenced by the added policies in the patch. The routes.json
file modification clearly demonstrates these were the unprotected entry points.