cve/2019/CVE-2019-18818.md

CVE-2019-18818

Description

strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.

POC

Reference

• http://packetstormsecurity.com/files/163939/Strapi-3.0.0-beta-Authentication-Bypass.html
• http://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.html
• http://packetstormsecurity.com/files/165896/Strapi-CMS-3.0.0-beta.17.4-Privilege-Escalation.html
• https://github.com/strapi/strapi/pull/4443
• https://github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.5

Github

• https://github.com/0xaniketB/HackTheBox-Horizontall
• https://github.com/ARPSyndicate/cvemon
• https://github.com/ARPSyndicate/kenzer-templates
• https://github.com/Anogota/Horizontall
• https://github.com/Enes4xd/Enes4xd
• https://github.com/Enes4xd/aleyleiftaradogruu
• https://github.com/Enes4xd/ezelnur6327
• https://github.com/Enes4xd/kirik_kalpli_olan_sayfa
• https://github.com/Enes4xd/salih_.6644
• https://github.com/Enes4xd/salihalkan4466
• https://github.com/Shadawks/Strapi-CVE-2019-1881
• https://github.com/aleyleiftaradogruu/aleyleiftaradogruu
• https://github.com/cayserkiller/cayserkiller
• https://github.com/codiobert/codiobert
• https://github.com/cr0ss2018/cr0ss2018
• https://github.com/crossresmii/cayserkiller
• https://github.com/crossresmii/crossresmii
• https://github.com/crossresmii/salihalkan4466
• https://github.com/daltonmeridio/WriteUpHorizontall
• https://github.com/ezelnur6327/Enes4xd
• https://github.com/ezelnur6327/ezelnur6327
• https://github.com/glowbase/CVE-2019-19609
• https://github.com/guglia001/CVE-2019-18818
• https://github.com/hadrian3689/strapi_cms_3.0.0-beta.17.7
• https://github.com/ossf-cve-benchmark/CVE-2019-18818
• https://github.com/rasyidfox/CVE-2019-18818
• https://github.com/xr4aleyna/Enes4xd
• https://github.com/xr4aleyna/aleyleiftaradogruu
• https://github.com/xr4aleyna/crossresmii
• https://github.com/xr4aleyna/xr4aleyna