Executive Summary
Informations | |||
---|---|---|---|
Name | CVE-2022-30618 | First vendor Publication | 2022-05-19 |
Vendor | Cve | Last vendor Modification | 2024-11-21 |
Security-Database Scoring CVSS v3
Cvss vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | |||
---|---|---|---|
Overall CVSS Score | 7.5 | ||
Base Score | 7.5 | Environmental Score | 7.5 |
impact SubScore | 5.9 | Temporal Score | 7.5 |
Exploitabality Sub Score | 1.6 | ||
Attack Vector | Network | Attack Complexity | High |
Privileges Required | Low | User Interaction | None |
Scope | Unchanged | Confidentiality Impact | High |
Integrity Impact | High | Availability Impact | High |
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:S/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 6.8 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). There are many scenarios in which such details from API users can leak in the JSON response within the admin panel, either through a direct or indirect relationship. Access to this information enables a user to compromise these users’ accounts if the password reset API endpoints have been enabled. In a worst-case scenario, a low-privileged user could get access to a high-privileged API account, and could read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users. |
Original Source
Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30618 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-212 | Improper Cross-boundary Removal of Sensitive Data |
CPE : Common Platform Enumeration
Sources (Detail)
Source | Url |
---|
Alert History
Date | Informations |
---|---|
2024-11-28 14:10:39 |
|
2022-06-07 00:27:12 |
|
2022-06-06 21:27:11 |
|
2022-05-20 00:27:12 |
|