Strapi
by Strapi
Source repositories
CVEs (30)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-22621 | 0.00 | — | 0.77 | Apr 19, 2023 | Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email… | |||
| CVE-2023-22893 | 0.00 | — | 0.04 | Apr 19, 2023 | Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and… | |||
| CVE-2023-22894 | 0.00 | — | 0.02 | Apr 19, 2023 | Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super… | |||
| CVE-2022-31367 | 0.00 | — | 0.01 | Sep 27, 2022 | Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses. | |||
| CVE-2022-32114 | 0.00 | — | 0.02 | Jul 13, 2022 | An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be… | |||
| CVE-2022-29894 | 0.00 | — | 0.01 | Jun 13, 2022 | Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege. | |||
| CVE-2022-30618 | 0.00 | — | 0.01 | May 19, 2022 | An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). There are… | |||
| CVE-2022-30617 | 0.00 | — | 0.01 | May 19, 2022 | An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. For… | |||
| CVE-2022-27263 | 0.00 | — | 0.03 | Apr 12, 2022 | An arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 allows attackers to execute arbitrary code via a crafted file. | |||
| CVE-2022-0764 | 0.00 | — | 0.01 | Feb 26, 2022 | Arbitrary Command Injection in GitHub repository strapi/strapi prior to 4.1.0. |
- CVE-2023-22621Apr 19, 2023risk 0.00cvss —epss 0.77
Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email…
- CVE-2023-22893Apr 19, 2023risk 0.00cvss —epss 0.04
Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and…
- CVE-2023-22894Apr 19, 2023risk 0.00cvss —epss 0.02
Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super…
- CVE-2022-31367Sep 27, 2022risk 0.00cvss —epss 0.01
Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses.
- CVE-2022-32114Jul 13, 2022risk 0.00cvss —epss 0.02
An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be…
- CVE-2022-29894Jun 13, 2022risk 0.00cvss —epss 0.01
Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege.
- CVE-2022-30618May 19, 2022risk 0.00cvss —epss 0.01
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). There are…
- CVE-2022-30617May 19, 2022risk 0.00cvss —epss 0.01
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. For…
- CVE-2022-27263Apr 12, 2022risk 0.00cvss —epss 0.03
An arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 allows attackers to execute arbitrary code via a crafted file.
- CVE-2022-0764Feb 26, 2022risk 0.00cvss —epss 0.01
Arbitrary Command Injection in GitHub repository strapi/strapi prior to 4.1.0.
Page 2 of 2