The popular, headless CMS Strapi patched two vulnerabilities that allowed users with lower levels of privilege to see data only higher-privileged users were cleared to see — including information allowing account takeover.
The vulnerabilities, which Synopsys' CyRC research lab discovered in November, are tracked as CVE-2022-30617 and CVE-20220-30618. Both vulnerabilities involve too much user data being exposed in the backend. The exposed data includes password reset tokens, which could be leveraged to steal accounts.
"A malicious user could abuse this vulnerability to reset passwords and thereby gain access to those accounts," said David Johansson, principal security consultant at Synopsys Software Integrity Group. "You could create content on behalf of users, maybe discredit them or publish fake news or possibly read content that hasn't been published yet from other voters."
Strapi has three levels of privilege: "Writer," "Editor" and "Super User." But both vulnerabilities offer ways for lower-privileged users to see data from higher-level users who interact with them. In the first vulnerability, the author of a file has accesses to details of the JSON response for a user who updates the file, meaning a disgruntled Writer could peer into the account data of an Editor or Super User who edited their post. In the second, one user gained access to JSON responses to another user making use of the API if the second user is related to content types the first has access to.
Strapi version 3 users are safe from both vulnerabilities after updating to version 3.6.10 or later. Version 4 users are safe from 30617 by using stable releases of Strapi and 30618 by updating to 4.1.10 or later.
Johansson emphasized the API vulnerabilities are extremely common.
"It's quite common that the actual data being sent under the hood that is not visible contains a lot more than what the user is supposed to be able to get access to and see," he said.