Vulnerabilities > Strapi > Strapi > 3.2.5
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-05-19 | CVE-2022-30617 | Improper Cross-boundary Removal of Sensitive Data vulnerability in Strapi An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. | 9.0 |
2022-05-19 | CVE-2022-30618 | Improper Cross-boundary Removal of Sensitive Data vulnerability in Strapi An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). | 6.0 |
2022-05-03 | CVE-2021-46440 | Insufficiently Protected Credentials vulnerability in Strapi Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext password, leading to getting API documentation for further API attacks. | 5.0 |
2022-02-26 | CVE-2022-0764 | Unspecified vulnerability in Strapi Arbitrary Command Injection in GitHub repository strapi/strapi prior to 4.1.0. | 6.7 |
2021-05-06 | CVE-2021-28128 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Strapi In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. | 5.5 |