CVE-2020-13961

Name of the Vulnerable Software and Affected Versions Strapi versions prior to 3.0.2

Description The issue allows a remote authenticated attacker to bypass security restrictions. This is because templates are stored in a global variable without any sanitation, enabling an attacker to update the email template for both password reset and account confirmation emails by sending a specially crafted request.

Recommendations For versions prior to 3.0.2, update to version 3.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to template updates to minimize the risk of exploitation.