The vulnerabilities allow attackers to use a low-privilege account to reset the password of a higher-privilege account. Credit: Getty Images Users of Strapi, a popular headless content management system written entirely in JavaScript and focused on API development, should update their installations as soon as possible to fix two vulnerabilities that could lead to administrative accounts being compromised.According to researchers with the Synopsys Cybersecurity Research Center (CyRC), the flaws allow a user with low privileges to access sensitive data that can be used to perform a password reset for a higher privileged account, such as the administrator. This means attackers need to gain access to a low-privileged account first and this can be achieved via compromised credentials, phishing or other methods.Strapi is a headless content management system built on top of the Node.js JavaScript runtime with support for a variety of databases and frontend frameworks. A headless CMS provides the backend for creating, managing and storing content which is then exposed through an API and can be accessed using independently built frontends. These can be websites, mobile applications or even IoT devices. Strapi is open-source and provides an easy way for companies to design APIs for a variety of use cases. While its market share is small compared to general purpose content management systems such as WordPress or Joomla, the project is popular with enterprises and lists some big organizations as users including Societe Generale, IBM, NASA, Generali, Walmart and Toyota. Two similar data exposure flaws in the admin panel and APIThe Synopsys researchers found the first vulnerability, tracked as CVE-2022-30617 in November. The flaw allows an authenticated user who has access to the Strapi admin panel to access email and password reset tokens for administrative users with whom they have a content relationship.“For example, a low-privileged ‘Author’ role account can view these details in the JSON response for an ‘Editor’ or ‘Super Admin’ that has updated one of the author’s blog posts,” the researchers explained in their advisory. “There are also many other scenarios where such details from other users can leak in the JSON response, either through a direct or indirect relationship.” With the leaked information an attacker can initiate the password reset workflow for the higher privileged user. Strapi supports role-based access control (RBAC) and single sign-on (SSO) integration with identity providers and Microsoft Active Directory.The CVE-2022-30617 flaw is rated 8.8 (High) in the Common Vulnerabilities Scoring System (CVSS) and was patched in the Strapi v4.0.0 back in November. However, the patch was backported to Strapi v3.6.10, which was released this month.After reviewing the initial fix for CVE-2022-30617, the Synopsys researchers found a similar vulnerability in the API permissions system that affects API users managed by the plugin users-permissions. This new vulnerability is tracked as CVE-2022-30618 and is rated 7.5 (High). The flaw allows authenticated users with access to the Strapi admin panel to access email and password reset tokens for API users if the content they have access to also has a relationship to other API users. Exploitation requires the password reset API endpoint to be enabled.“In a worst-case scenario, a low-privileged user gets access to a high-privileged API account and can thereby read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users,” the researchers said.The CVE-2022-30618 flaw was reported to the Strapi maintainers in December and was fixed in versions 3.6.10 and 4.0.10, which were released on May 11. Related content news analysis SEC rule for finance firms boosts disclosure requirements Amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. By Evan Schuman May 17, 2024 5 mins Data Breach Financial Services Industry Data Privacy feature DDoS attacks: Definition, examples, and techniques Distributed denial of service (DDoS) attacks have been part of the criminal toolbox for over twenty years, and they’re only growing more prevalent and stronger. By Josh Fruhlinger May 17, 2024 10 mins DDoS Cyberattacks news FCC proposes BGP security measures Protecting the Border Gateway Protocol is as important as protecting the border. By Gyana Swain May 17, 2024 1 min Regulation Network Security news US AI experts targeted in cyberespionage campaign using SugarGh0st RAT Threat actors use phishing techniques to obtain non-public information about generative artificial intelligence. By Lucian Constantin May 16, 2024 4 mins Phishing Data and Information Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe