Vulnerabilities > Strapi > Strapi > 3.0.4
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-05-19 | CVE-2022-30618 | Improper Cross-boundary Removal of Sensitive Data vulnerability in Strapi An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). | 6.0 |
| 2022-05-03 | CVE-2021-46440 | Insufficiently Protected Credentials vulnerability in Strapi Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext password, leading to getting API documentation for further API attacks. | 5.0 |
| 2022-02-26 | CVE-2022-0764 | Unspecified vulnerability in Strapi Arbitrary Command Injection in GitHub repository strapi/strapi prior to 4.1.0. | 6.7 |
| 2021-05-06 | CVE-2021-28128 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Strapi In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. | 5.5 |
| 2020-10-22 | CVE-2020-27666 | Cross-site Scripting vulnerability in Strapi Strapi before 3.2.5 has stored XSS in the wysiwyg editor's preview feature. | 3.5 |
| 2020-10-22 | CVE-2020-27665 | Incorrect Default Permissions vulnerability in Strapi In Strapi before 3.2.5, there is no admin::hasPermissions restriction for CTB (aka content-type-builder) routes. | 5.0 |
| 2020-10-22 | CVE-2020-27664 | Unspecified vulnerability in Strapi admin/src/containers/InputModalStepperProvider/index.js in Strapi before 3.2.5 has unwanted /proxy?url= functionality. | 7.5 |