Researchers uncovered two critical vulnerabilities in JSON that can expose data in the open-source Node.js headless content management system Strapi.
The two vulnerabilities, tracked as CVE-2022-30617 and CVE-2022-30618, are described as sensitive data exposure vulnerabilities that may lead to account compromise in the admin panel of Strapi.
CVE-2022-30617 is said to expose sensitive data if admin panel users in a JSON response. CVE-2022-30618 does likewise. The vulnerabilities affect Strapi v3 up to v3.6.9 and Strapi v4 beta versions up to v4.0.0-beta.15.
The first vulnerability allows an authenticated user with access to the Strapi admin panel to view private and sensitive data. This includes email and password reset tokens as well as details of other admin panel users that have a relationship with content accessible to the authenticated user.
The second vulnerability opens the door for an authenticated user with access to the Strapi admin panel to view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users.
There are many scenarios where details from API users can leak in the JSON response within the admin panel, either through a direct or indirect relationship. Access to this information enables a user to compromise these users’ accounts if the password reset API endpoints have been enabled.
Researchers first informed Strapi in November and later releases fixed the issue.
This research was conducted by Synopsys Cybersecurity Research Center.