CVE-2021-28128

Name of the Vulnerable Software and Affected Versions: Strapi versions prior to 3.6.1 is not mentioned, however, the version 3.6.0 is mentioned as vulnerable, so we can say Strapi versions 3.6.0 and earlier

Description: The admin panel in Strapi allows users to change their own password without entering the current password. An attacker who gains access to a valid session can exploit this to take over an account by changing the password.

Recommendations: For Strapi versions 3.6.0 and earlier, update to version 3.6.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin panel to minimize the risk of exploitation.