cbcvebase.
CVE-2019-18818
published 2019-11-07

CVE-2019-18818: strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
97.64%
99.9th percentile
strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.

Affected

3 ranges
VendorProductVersion rangeFixed in
strapistrapi<= 1.6.4
strapistrapi
strapistrapi>= 0 < 3.0.0-beta.17.53.0.0-beta.17.5

Detection & IOCsextracted from sources · hover to see the quote

url/admin/auth/reset-password
url/admin/init
url/admin/strapiVersion
command{"code": {"$gt": 0}, "password": "SuperStrongPassword1", "passwordConfirmation": "SuperStrongPassword1"}
commandexploit={"code":{}, "password":newPassword, "passwordConfirmation":newPassword}
pathpackages/strapi-admin/controllers/Auth.js
pathpackages/strapi-plugin-users-permissions/controllers/Auth.js
yara
matchers on POST /admin/auth/reset-password with body containing '"username":' AND '"email":' AND '"jwt":' and HTTP 200
  • Detect unauthenticated password reset exploitation by monitoring POST requests to /admin/auth/reset-password containing a JSON body with a NoSQL injection operator in the 'code' field (e.g., {"$gt": 0} or empty object {}).
  • A successful exploit response to /admin/auth/reset-password will return HTTP 200 with a JSON body containing 'jwt', 'username', and 'email' fields — monitor for this response pattern as a confirmation of compromise.
  • After password reset, watch for POST requests to /admin/plugins/install with a 'plugin' field containing shell command injection patterns (e.g., 'documentation && $(cmd)'), indicating chained exploitation with CVE-2019-19609.
  • The Metasploit auxiliary module for this CVE targets /admin/auth/reset-password via POST with Content-Type application/json and a JSON body containing 'code': {'$gt': 0}; detection should alert on this NoSQL operator in JSON POST bodies to Strapi admin endpoints.
  • ·The exploit also works with an empty object '{}' as the 'code' value (not just '$gt': 0), so detection rules must account for both variants of the NoSQL injection payload.
  • ·The vulnerability affects Strapi versions starting with '3.0.0-beta' and '3.0.0-alpha'; version checks against /admin/init or /admin/strapiVersion should be used to scope detection to vulnerable instances only.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.