The Synopsys Cybersecurity Research Center recently discovered two critical vulnerabilities in JSON, posing significant risks to data security and user privacy in the open-source Node.js headless content management system (CMS) Strapi.
These vulnerabilities, designated as CVE-2022-30617 and CVE-2022-30618, have been classified as sensitive data exposure risks. They could potentially lead to account compromise in Strapi's admin panel. Strapi is a widely used open-source headless CMS software developed in JavaScript, enabling users to quickly design and construct application programming interfaces (APIs). Its admin panel is a web-based user interface allowing users to manage content types and define the API.
Affected versions include Strapi v3 up to v3.6.9 and Strapi v4 beta versions up to v4.0.0-beta.15. CVE-2022-30617 exposes sensitive data in a JSON response if used by admin panel users, while CVE-2022-30618 behaves similarly.
Researchers elaborated that the first vulnerability allows an authenticated user, who has gained access to the Strapi admin panel, to view private and sensitive data. This comprises email addresses, password reset tokens, and data concerning other admin panel users that have a relationship with content reachable by the authenticated user. Various scenarios can occur where details from other users may be leaked in the JSON response, either through a direct or indirect relationship.
The second vulnerability enables an authenticated user with access to the Strapi admin panel to view private and sensitive data related to API users. This can happen if content types accessible to the authenticated user contain relationships to API users. In extreme cases, a low-privileged user can gain access to a high-privileged API account, allowing them to read and modify any data and block access to both the admin panel and API by revoking privileges for all other users.
Synopsys first notified Strapi of these vulnerabilities in November, and subsequent releases have already addressed the issue. However, it is crucial to note that not all users promptly update their software, potentially leaving themselves exposed to these risks. Emphasis must be placed on timely software updates to prevent exploitation of these vulnerabilities.
In recent times, as no-code and low-code platforms gain popularity, it is essential for software developers and users to be vigilant about potential security issues. AppMaster, a powerful no-code platform, ensures the generation of secure backend, web, and mobile applications, focusing on scalability and performance. AppMaster's technology significantly reduces the risk of security vulnerabilities, making application development faster and more cost-effective for a wide range of customers, from small businesses to enterprises.
