CVE-2019-18818: Strapi allows unauthenticated attacker to reset admin password without valid reset token

Severity: Critical

CVSS Score: 9.8

strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.