npm package
strapi
pkg:npm/strapi
Vulnerabilities (12)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-31367 | — | < 3.6.10 | 3.6.10 | Sep 27, 2022 | Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses. | ||
| CVE-2022-29894 | — | <= 3.6.10 | — | Jun 13, 2022 | Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege. | ||
| CVE-2022-30618 | — | >= 3.0.0, < 3.6.9 | 3.6.9 | May 19, 2022 | An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). There are man | ||
| CVE-2022-30617 | — | >= 3.0.0, < 3.6.9 | 3.6.9 | May 19, 2022 | An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. For exa | ||
| CVE-2021-46440 | — | < 3.6.9 | 3.6.9 | May 3, 2022 | Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext passwo | ||
| CVE-2022-27263 | — | <= 4.1.5 | — | Apr 12, 2022 | An arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 allows attackers to execute arbitrary code via a crafted file. | ||
| CVE-2022-0764 | — | < 4.1.0 | 4.1.0 | Feb 26, 2022 | Arbitrary Command Injection in GitHub repository strapi/strapi prior to 4.1.0. | ||
| CVE-2021-28128 | — | <= 3.6.0 | — | May 6, 2021 | In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password. | ||
| CVE-2020-27664 | — | < 3.2.5 | 3.2.5 | Oct 22, 2020 | admin/src/containers/InputModalStepperProvider/index.js in Strapi before 3.2.5 has unwanted /proxy?url= functionality. | ||
| CVE-2020-13961 | — | < 3.0.2 | 3.0.2 | Jun 19, 2020 | Strapi before 3.0.2 could allow a remote authenticated attacker to bypass security restrictions because templates are stored in a global variable without any sanitation. By sending a specially crafted request, an attacker could exploit this vulnerability to update the email templ | ||
| CVE-2019-19609 | — | < 3.0.0-beta.17.8 | 3.0.0-beta.17.8 | Dec 5, 2019 | The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa functi | ||
| CVE-2019-18818 | — | < 3.0.0-beta.17.5 | 3.0.0-beta.17.5 | Nov 7, 2019 | strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js. |
- CVE-2022-31367Sep 27, 2022affected < 3.6.10fixed 3.6.10
Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses.
- CVE-2022-29894Jun 13, 2022affected <= 3.6.10
Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege.
- CVE-2022-30618May 19, 2022affected >= 3.0.0, < 3.6.9fixed 3.6.9
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). There are man
- CVE-2022-30617May 19, 2022affected >= 3.0.0, < 3.6.9fixed 3.6.9
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. For exa
- CVE-2021-46440May 3, 2022affected < 3.6.9fixed 3.6.9
Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext passwo
- CVE-2022-27263Apr 12, 2022affected <= 4.1.5
An arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 allows attackers to execute arbitrary code via a crafted file.
- CVE-2022-0764Feb 26, 2022affected < 4.1.0fixed 4.1.0
Arbitrary Command Injection in GitHub repository strapi/strapi prior to 4.1.0.
- CVE-2021-28128May 6, 2021affected <= 3.6.0
In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password.
- CVE-2020-27664Oct 22, 2020affected < 3.2.5fixed 3.2.5
admin/src/containers/InputModalStepperProvider/index.js in Strapi before 3.2.5 has unwanted /proxy?url= functionality.
- CVE-2020-13961Jun 19, 2020affected < 3.0.2fixed 3.0.2
Strapi before 3.0.2 could allow a remote authenticated attacker to bypass security restrictions because templates are stored in a global variable without any sanitation. By sending a specially crafted request, an attacker could exploit this vulnerability to update the email templ
- CVE-2019-19609Dec 5, 2019affected < 3.0.0-beta.17.8fixed 3.0.0-beta.17.8
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa functi
- CVE-2019-18818Nov 7, 2019affected < 3.0.0-beta.17.5fixed 3.0.0-beta.17.5
strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.