Miggo Logo

CVE-2021-28128: Weak Password Recovery Mechanism for Forgotten Password in Strapi

8.1

CVSS Score
3.1

Basic Information

EPSS Score
0.49167%
Published
10/6/2021
Updated
9/13/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
strapinpm<= 3.6.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the absence of current password verification in the password change functionality of the admin panel. While the advisory clearly describes the vulnerable behavior (password change without current password check), the provided materials lack specific code references, commit diffs, or patch details that would allow precise identification of the vulnerable functions. The GitHub issue (#9657) discusses the problem at a feature level but doesn't reference implementation details. Without access to Strapi's source code for versions ≤3.6.0 or specific file/function references from the advisory materials, we cannot confidently map this vulnerability to specific functions with high confidence. The vulnerability likely exists in the user profile update controller handling password changes, but insufficient implementation details are provided to confirm this.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Str*pi t*rou** *.*.*, t** **min p*n*l *llows t** ***n*in* o* on*'s own p*sswor* wit*out *nt*rin* t** *urr*nt p*sswor*. *n *tt**k*r w*o **ins ****ss to * v*li* s*ssion **n us* t*is to t*k* ov*r *n ***ount *y ***n*in* t** p*sswor*.

Reasoning

T** vuln*r**ility st*ms *rom t** **s*n** o* *urr*nt p*sswor* v*ri*i**tion in t** p*sswor* ***n** *un*tion*lity o* t** **min p*n*l. W*il* t** **visory *l**rly **s*ri**s t** vuln*r**l* ****vior (p*sswor* ***n** wit*out *urr*nt p*sswor* ****k), t** prov