VYPR

Strapi

by Strapi

npm: strapi

Source repositories

CVEs (30)

  • CVE-2023-22621Apr 19, 2023
    risk 0.00cvss epss 0.77

    Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email…

  • CVE-2023-22893Apr 19, 2023
    risk 0.00cvss epss 0.04

    Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and…

  • CVE-2023-22894Apr 19, 2023
    risk 0.00cvss epss 0.02

    Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super…

  • CVE-2022-31367Sep 27, 2022
    risk 0.00cvss epss 0.01

    Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses.

  • CVE-2022-32114Jul 13, 2022
    risk 0.00cvss epss 0.02

    An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be…

  • CVE-2022-29894Jun 13, 2022
    risk 0.00cvss epss 0.01

    Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege.

  • CVE-2022-30618May 19, 2022
    risk 0.00cvss epss 0.01

    An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). There are…

  • CVE-2022-30617May 19, 2022
    risk 0.00cvss epss 0.01

    An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. For…

  • CVE-2022-27263Apr 12, 2022
    risk 0.00cvss epss 0.03

    An arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 allows attackers to execute arbitrary code via a crafted file.

  • CVE-2022-0764Feb 26, 2022
    risk 0.00cvss epss 0.01

    Arbitrary Command Injection in GitHub repository strapi/strapi prior to 4.1.0.

Page 2 of 2