CVE-2019-18818: Weak Password Recovery Mechanism for Forgotten Password

November 7, 2019 (updated November 13, 2019)

strapi mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.

References

nvd.nist.gov/vuln/detail/CVE-2019-18818

Detect and mitigate CVE-2019-18818 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →