CVE-2021-28128: 
JavaScript vulnerability analysis and mitigation

In Strapi through version 3.6.0, a vulnerability was identified in the admin panel that allows users to change their own password without entering the current password (CVE-2021-28128). This security flaw was discovered in February 2021 and publicly disclosed on April 26, 2021. The vulnerability affects all versions of Strapi up to and including version 3.6.0, impacting the content management system's authentication mechanism (SYSS Advisory).

The vulnerability is classified as an Unverified Password Change (CWE-620) with a CVSS v3.1 Base Score of 8.1 (HIGH). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N). The scope is unchanged (S:U) with high confidentiality and integrity impact (C:H, I:H) but no availability impact (A:N) (NVD).

An attacker who gains access to a valid session can exploit this vulnerability to take over an account by changing the password without verification of the current password. This could lead to unauthorized access to administrative functions and potential compromise of the content management system (SYSS Advisory).

The vulnerability was initially reported to the manufacturer on March 8, 2021, and was publicly disclosed via a GitHub issue. Users should upgrade to a version newer than 3.6.0 to address this security issue (SYSS Advisory, GitHub Release).