npm package
@strapi/plugin-users-permissions
pkg:npm/%40strapi/plugin-users-permissions
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-22706 | Med | 6.5 | < 5.33.3 | 5.33.3 | May 14, 2026 | Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and admi | |
| CVE-2025-64526 | Med | 5.3 | < 5.45.0 | 5.45.0 | May 14, 2026 | Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from `ctx.request.body.email`, including on routes whose body schema does not contain an ` | |
| CVE-2024-34065 | — | < 4.24.2 | 4.24.2 | Jun 12, 2024 | Strapi is an open-source content management system. By combining two vulnerabilities (an `Open Redirect` and `session token sent as URL query parameter`) in @strapi/plugin-users-permissions before version 4.24.2, is its possible of an unauthenticated attacker to bypass authentica | ||
| CVE-2023-39345 | — | >= 4.0.0, < 4.13.1 | 4.13.1 | Nov 6, 2023 | strapi is an open-source headless CMS. Versions prior to 4.13.1 did not properly restrict write access to fielded marked as private in the user registration endpoint. As such malicious users may be able to errantly modify their user records. This issue has been addressed in versi | ||
| CVE-2023-38507 | — | < 4.12.1 | 4.12.1 | Sep 15, 2023 | Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increa | ||
| CVE-2023-22893 | — | >= 3.2.1, < 4.6.0 | 4.6.0 | Apr 19, 2023 | Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and imperson | ||
| CVE-2023-22621 | — | < 4.5.6 | 4.5.6 | Apr 19, 2023 | Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email templ |
- affected < 5.33.3fixed 5.33.3
Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and admi
- affected < 5.45.0fixed 5.45.0
Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from `ctx.request.body.email`, including on routes whose body schema does not contain an `
- CVE-2024-34065Jun 12, 2024affected < 4.24.2fixed 4.24.2
Strapi is an open-source content management system. By combining two vulnerabilities (an `Open Redirect` and `session token sent as URL query parameter`) in @strapi/plugin-users-permissions before version 4.24.2, is its possible of an unauthenticated attacker to bypass authentica
- CVE-2023-39345Nov 6, 2023affected >= 4.0.0, < 4.13.1fixed 4.13.1
strapi is an open-source headless CMS. Versions prior to 4.13.1 did not properly restrict write access to fielded marked as private in the user registration endpoint. As such malicious users may be able to errantly modify their user records. This issue has been addressed in versi
- CVE-2023-38507Sep 15, 2023affected < 4.12.1fixed 4.12.1
Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increa
- CVE-2023-22893Apr 19, 2023affected >= 3.2.1, < 4.6.0fixed 4.6.0
Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and imperson
- CVE-2023-22621Apr 19, 2023affected < 4.5.6fixed 4.5.6
Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email templ