CVE-2020-13961

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-13961

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-13961.json

Aliases

GHSA-65wv-528r-m892

Published

2020-06-19T17:15:14Z

Modified

2023-11-29T07:54:34.489243Z

Details

Strapi before 3.0.2 could allow a remote authenticated attacker to bypass security restrictions because templates are stored in a global variable without any sanitation. By sending a specially crafted request, an attacker could exploit this vulnerability to update the email template for both password reset and account confirmation emails.

References

Affected packages

Git / github.com/strapi/strapi

Affected ranges

Type: GIT
Repo: https://github.com/strapi/strapi
Events: Introduced

0The exact introduced commit is unknown

Fixed

497fb742eb795b1135e4e0c20ef638c4ab50dd72

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.1.0

v1.2.0

v1.3.0

v1.3.1

v1.4.0

v1.4.1

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v3.*

v3.0.0

v3.0.0-alpha.10.1

v3.0.0-alpha.10.2

v3.0.0-alpha.10.3

v3.0.0-alpha.11

v3.0.0-alpha.11.1

v3.0.0-alpha.11.2

v3.0.0-alpha.11.3

v3.0.0-alpha.12

v3.0.0-alpha.12.1

v3.0.0-alpha.12.2

v3.0.0-alpha.12.3

v3.0.0-alpha.12.4

v3.0.0-alpha.12.5

v3.0.0-alpha.12.6

v3.0.0-alpha.12.7

v3.0.0-alpha.12.7.1

v3.0.0-alpha.13

v3.0.0-alpha.13.0.1

v3.0.0-alpha.13.1

v3.0.0-alpha.14

v3.0.0-alpha.14.1

v3.0.0-alpha.14.1.1

v3.0.0-alpha.14.2

v3.0.0-alpha.14.3

v3.0.0-alpha.14.4.0

v3.0.0-alpha.14.5

v3.0.0-alpha.15

v3.0.0-alpha.16

v3.0.0-alpha.17

v3.0.0-alpha.18

v3.0.0-alpha.19

v3.0.0-alpha.20

v3.0.0-alpha.21

v3.0.0-alpha.22

v3.0.0-alpha.23

v3.0.0-alpha.23.1

v3.0.0-alpha.24

v3.0.0-alpha.24.1

v3.0.0-alpha.25

v3.0.0-alpha.25.1

v3.0.0-alpha.25.2

v3.0.0-alpha.26

v3.0.0-alpha.26.1

v3.0.0-alpha.26.2

v3.0.0-alpha.4

v3.0.0-alpha.4.8

v3.0.0-alpha.5.3

v3.0.0-alpha.5.5

v3.0.0-alpha.6.3

v3.0.0-alpha.6.4

v3.0.0-alpha.6.7

v3.0.0-alpha.7.3

v3.0.0-alpha.8

v3.0.0-alpha.8.3

v3.0.0-alpha.9

v3.0.0-alpha.9.1

v3.0.0-alpha.9.2

v3.0.0-beta.0

v3.0.0-beta.1

v3.0.0-beta.10

v3.0.0-beta.11

v3.0.0-beta.12

v3.0.0-beta.13

v3.0.0-beta.14

v3.0.0-beta.15

v3.0.0-beta.16

v3.0.0-beta.16.1

v3.0.0-beta.16.2

v3.0.0-beta.16.3

v3.0.0-beta.16.4

v3.0.0-beta.16.5

v3.0.0-beta.16.6

v3.0.0-beta.16.7

v3.0.0-beta.16.8

v3.0.0-beta.17

v3.0.0-beta.17.1

v3.0.0-beta.17.2

v3.0.0-beta.17.3

v3.0.0-beta.17.4

v3.0.0-beta.17.5

v3.0.0-beta.17.6

v3.0.0-beta.17.7

v3.0.0-beta.17.8

v3.0.0-beta.18

v3.0.0-beta.18.1

v3.0.0-beta.18.2

v3.0.0-beta.18.3

v3.0.0-beta.18.4

v3.0.0-beta.18.5

v3.0.0-beta.18.6

v3.0.0-beta.18.7

v3.0.0-beta.18.8

v3.0.0-beta.19

v3.0.0-beta.19.1

v3.0.0-beta.19.2

v3.0.0-beta.19.3

v3.0.0-beta.19.4

v3.0.0-beta.19.5

v3.0.0-beta.2

v3.0.0-beta.20

v3.0.0-beta.20.1

v3.0.0-beta.20.2

v3.0.0-beta.20.3

v3.0.0-beta.3

v3.0.0-beta.4

v3.0.0-beta.5

v3.0.0-beta.6

v3.0.0-beta.7

v3.0.0-beta.8

v3.0.0-beta.9

v3.0.0-rc.0

v3.0.0-rc.1

v3.0.1