Strapi, a popular CMS, patched two vulnerabilities allowing users with lower privilege to see the data of higher-privileged users. Pictured: An image of a password login dialog box is reflected on the eye of a young woman on Aug. 9, 2017, in London. (Photo by Leon Neal/Getty Images)
The popular, headless CMS Strapi patched two vulnerabilities that allowed users with lower levels of privilege to see data only higher-privileged users were cleared to see — including information allowing account takeover.
The vulnerabilities, which Synopsys’ CyRC research lab discovered in November, are tracked as CVE-2022-30617 and CVE-20220-30618. Both vulnerabilities involve too much user data being exposed in the backend. The exposed data includes password reset tokens, which could be leveraged to steal accounts.
“A malicious user could abuse this vulnerability to reset passwords and thereby gain access to those accounts,” said David Johansson, principal security consultant at Synopsys Software Integrity Group. “You could create content on behalf of users, maybe discredit them or publish fake news or possibly read content that hasn’t been published yet from other voters.”
Strapi has three levels of privilege: “Writer,” “Editor” and “Super User.” But both vulnerabilities offer ways for lower-privileged users to see data from higher-level users who interact with them. In the first vulnerability, the author of a file has accesses to details of the JSON response for a user who updates the file, meaning a disgruntled Writer could peer into the account data of an Editor or Super User