CVE-2022-29894

Vulnerability

Overview

CVE-2022-29894 is a stored cross-site scripting (XSS) vulnerability in Strapi versions 3.x.x and earlier. The flaw resides in the file upload function, where an attacker can inject malicious scripts that are stored on the server and later executed in the browser of an authenticated administrator [1][2]. This is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) [2].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must have a valid account with the ability to upload files (e.g., a content manager role). The attack is network-based (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) and requires user interaction—the admin must view the page containing the malicious file [2]. No special network position is needed beyond access to the Strapi admin panel.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the admin's browser session. This can lead to theft of session cookies, defacement of the admin interface, or further actions such as creating new admin accounts or modifying content [1][2]. The impact is limited to the admin's browser and does not directly affect the server or other users.

Mitigation

Strapi has fixed this vulnerability in version 4.x.x. Users on v3.x.x are advised to upgrade to the latest v4 release, as v3.x.x is planned to reach end-of-life in September 2022 [2]. No workaround is provided; updating is the recommended solution.