Strapi

Strapi

34 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.8

CVE-2023-38507

Exploit
  • EPSS 0.26%
  • Veröffentlicht 15.09.2023 20:15:08
  • Zuletzt bearbeitet 21.11.2024 08:13:43

Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by l...

2.7

CVE-2023-37263

Exploit
  • EPSS 0.09%
  • Veröffentlicht 15.09.2023 19:15:08
  • Zuletzt bearbeitet 21.11.2024 08:11:20

Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permi...

5.7

CVE-2023-36472

Exploit
  • EPSS 0.14%
  • Veröffentlicht 15.09.2023 19:15:08
  • Zuletzt bearbeitet 21.11.2024 08:09:46

Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The `/content-manager/relations` route does not remo...

7.5

CVE-2023-34235

Exploit
  • EPSS 1.64%
  • Veröffentlicht 25.07.2023 18:15:10
  • Zuletzt bearbeitet 21.11.2024 08:06:49

Strapi is an open-source headless content management system. Prior to version 4.10.8, it is possible to leak private fields if one is using the `t(number)` prefix. Knex query allows users to change the default prefix. For example, if someone changes ...

7.1

CVE-2023-34093

Exploit
  • EPSS 0.08%
  • Veröffentlicht 25.07.2023 15:15:13
  • Zuletzt bearbeitet 21.11.2024 08:06:31

Strapi is an open-source headless content management system. Prior to version 4.10.8, anyone (Strapi developers, users, plugins) can make every attribute of a Content-Type public without knowing it. The vulnerability only affects the handling of cont...

7.5

CVE-2023-22893

Exploit
  • EPSS 66.48%
  • Veröffentlicht 19.04.2023 16:15:07
  • Zuletzt bearbeitet 07.11.2025 17:15:46

Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypa...

4.9

CVE-2023-22894

Exploit
  • EPSS 19.43%
  • Veröffentlicht 19.04.2023 16:15:07
  • Zuletzt bearbeitet 07.11.2025 17:15:46

Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses...

7.2

CVE-2023-22621

Exploit
  • EPSS 86.93%
  • Veröffentlicht 19.04.2023 16:15:07
  • Zuletzt bearbeitet 07.11.2025 17:15:45

Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on ...

8.8

CVE-2022-31367

Exploit
  • EPSS 0.63%
  • Veröffentlicht 27.09.2022 23:15:13
  • Zuletzt bearbeitet 22.05.2025 14:15:58

Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses.

8.8

CVE-2022-32114

Exploit
  • EPSS 1.88%
  • Veröffentlicht 13.07.2022 21:15:08
  • Zuletzt bearbeitet 21.11.2024 07:05:47

An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" pe...