CVE-2021-46440

Insecure Storage of Sensitive Information in npm/strapi

Identifiers

CVE-2021-46440

Package Slug

npm/strapi

Vulnerability

Insecure Storage of Sensitive Information

Description

Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext password, leading to getting API documentation for further API attacks.

Affected Versions

All versions before 3.6.9, all versions starting from 4.0.0 before 4.1.5

Solution

Upgrade to version 3.6.9, 4.1.5, or above.

Last Modified

2022-05-12

source