Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request. From this, the attacker can get the victim's cookie, base64 decode it, and obtain a cleartext password, leading to getting API documentation for further API attacks.
{ "cwe_ids": [ "CWE-922" ], "severity": "HIGH", "nvd_published_at": "2022-05-03T18:15:00Z", "github_reviewed_at": "2022-05-18T19:29:59Z", "github_reviewed": true }