CVSS: 7.2EPSS: 65%CPEs: 1EXPL: 2CVE-2023-22621
https://notcve.org/view.php?id=CVE-2023-22621
Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email template that bypasses the validation checks that should prevent code execution. • https://github.com/sofianeelhor/CVE-2023-22621-POC https://github.com/strapi/strapi/releases https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve https://www.ghostccamm.com/blog/multi_strapi_vulns • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.5EPSS: 10%CPEs: 1EXPL: 2CVE-2023-22893
https://notcve.org/view.php?id=CVE-2023-22893
Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that use AWS Cognito for authentication. • https://github.com/strapi/strapi/releases https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve https://www.ghostccamm.com/blog/multi_strapi_vulns • CWE-287: Improper Authentication •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 3CVE-2023-22894
https://notcve.org/view.php?id=CVE-2023-22894
Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super admin access, then this can be exploited to discover the password hash and password reset token of all users. If the attacker has admin panel access to an account with permission to access the username and email of API users with a lower privileged role (e.g., Editor or Author), then this can be exploited to discover sensitive information for all API users but not other admin accounts. • https://github.com/Saboor-Hakimi/CVE-2023-22894 https://github.com/strapi/strapi/releases https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve https://www.ghostccamm.com/blog/multi_strapi_vulns • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-31367
https://notcve.org/view.php?id=CVE-2022-31367
Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses. Strapi versiones anteriores a 3.6.10 y 4.x anteriores a 4.1.10, maneja inapropiadamente los atributos ocultos dentro de las respuestas de la API de administración • https://github.com/kos0ng/CVEs/tree/main/CVE-2022-31367 https://github.com/strapi/strapi/releases/tag/v3.6.10 https://github.com/strapi/strapi/releases/tag/v4.1.10 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2022-32114
https://notcve.org/view.php?id=CVE-2022-32114
An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be able to upload PDF files containing JavaScript, and that all files in a public assets folder are accessible to the outside world (unless the filename begins with a dot character). The administrator can choose to allow only image, video, and audio files (i.e., not PDF) if desired. Una vulnerabilidad de carga de archivos sin restricciones en la función Add New Assets de Strapi versión v4.1.12, permite a atacantes ejecutar código arbitrario por medio de un archivo diseñado • https://github.com/bypazs/CVE-2022-32114 https://docs.strapi.io/dev-docs/configurations/public-assets https://docs.strapi.io/user-docs/users-roles-permissions/configuring-administrator-roles https://github.com/bypazs/strapi https://github.com/strapi/strapi/blob/d9277d616b4478a3839e79e47330a4aaf167a2f1/packages/core/content-type-builder/admin/src/components/AllowedTypesSelect/index.js#L14 https://github.com/strapi/strapi/blob/d9277d616b4478a3839e79e47330a4aaf167a2f1/packages/core/upload/admin/src/components/MediaLibraryInput/index.js • CWE-434: Unrestricted Upload of File with Dangerous Type •