CVE-2021-28128: Weak Password Recovery Mechanism for Forgotten Password

May 6, 2021 (updated May 14, 2021)

In Strapi, the admin panel allows the changing of one’s own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password.

References

nvd.nist.gov/vuln/detail/CVE-2021-28128
strapi.io/changelog

Code Behaviors & Features

Detect and mitigate CVE-2021-28128 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →