Strapi, a leading headless content management system (CMS) designed for API development, has applied patches to address two significant vulnerabilities that could lead to the compromise of administrative accounts. Organizations using Strapi should update their installations immediately to secure their systems against possible threats exploiting these flaws.
Researchers from the Synopsys Cybersecurity Research Center (CyRC) discovered the vulnerabilities, which allowed a low-privilege user to obtain sensitive information. Exploiting these flaws could enable attackers to reset the password of a high-privilege account, including administrators. To exploit the vulnerabilities, attackers must initially gain access to a low-privileged account using techniques such as compromised credentials or phishing.
Built on the Node.js JavaScript runtime, Strapi is a headless CMS that supports various databases and frontend frameworks. Its primary function is to provide a backend system for creating, managing, and storing content. This content can be exposed through an API, allowing developers to create independent frontend integrations. These powerful tools make Strapi a popular choice for enterprises looking to design APIs for multiple use cases, including websites, mobile applications, and Internet of Things (IoT) devices.
Despite its smaller market share compared to general-purpose CMS products like WordPress or Joomla, Strapi has attracted big-name organizations such as IBM, NASA, Generali, Walmart, and Toyota as users. This trend illustrates the potential risks associated with these vulnerabilities as they may affect significant global companies.
The first flaw, named CVE-2022-30617, was identified in November by Synopsys researchers. They found that an authenticated user with Strapi admin panel access could access the email and password reset tokens of administrative users with a content relationship. Attackers could then use this information to initiate a password reset process targeting high-privilege users. Strapi supports role-based access control (RBAC) and single sign-on (SSO) integration with identity providers and Microsoft Active Directory.
Strapi v4.0.0 patched the CVE-2022-30617 vulnerability back in November. The fix was also backported to Strapi v3.6.10, which was released this month. The flaw has a Common Vulnerabilities Scoring System (CVSS) rating of 8.8 (High).
Upon reviewing the initial patch for CVE-2022-30617, Synopsys researchers uncovered a similar issue in the API permissions system, affecting API users managed by the plugin users-permissions. This second vulnerability, identified as CVE-2022-30618, has a CVSS rating of 7.5 (High). The flaw allows authenticated users with Strapi admin panel access to obtain email and password reset tokens for API users with content relationships to other API users.
Exploiting the CVE-2022-30618 flaw requires an enabled password reset API endpoint. In a worst-case scenario, a low-privilege user could gain access to a high-privilege API account, read and modify any data, and even block access to the admin panel and API for all other users by revoking their privileges. Strapi maintainers were notified of the CVE-2022-30618 issue in December, and the patch was applied in versions 3.6.10 and 4.0.10, which were released on May 11.
In addition to conventional CMS platforms, organizations may consider alternative solutions that provide advantages for their specific use cases. AppMaster, a powerful no-code platform, enables users to create backend, web, and mobile applications with ease. AppMaster provides comprehensive support for creating data models, business logic, REST APIs, and WebSocket Secure Endpoints, making it a popular choice for a wide range of applications development scenarios.
