Strapi

Strapi

39 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
4.9

CVE-2023-22894

Exploit
  • EPSS 1.66%
  • Veröffentlicht 19.04.2023 16:15:07
  • Zuletzt bearbeitet 07.11.2025 17:15:46

Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses...

7.5

CVE-2023-22893

Exploit
  • EPSS 4.16%
  • Veröffentlicht 19.04.2023 16:15:07
  • Zuletzt bearbeitet 07.11.2025 17:15:46

Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypa...

7.2

CVE-2023-22621

Exploit
  • EPSS 76.83%
  • Veröffentlicht 19.04.2023 16:15:07
  • Zuletzt bearbeitet 07.11.2025 17:15:45

Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on ...

8.8

CVE-2022-31367

Exploit
  • EPSS 1.29%
  • Veröffentlicht 27.09.2022 23:15:13
  • Zuletzt bearbeitet 22.05.2025 14:15:58

Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses.

8.8

CVE-2022-32114

Exploit
  • EPSS 1.58%
  • Veröffentlicht 13.07.2022 21:15:08
  • Zuletzt bearbeitet 21.11.2024 07:05:47

An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" pe...

4.8

CVE-2022-29894

  • EPSS 0.71%
  • Veröffentlicht 13.06.2022 05:15:11
  • Zuletzt bearbeitet 21.11.2024 06:59:55

Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with...

7.5

CVE-2022-30618

  • EPSS 0.9%
  • Veröffentlicht 19.05.2022 18:15:09
  • Zuletzt bearbeitet 21.11.2024 07:03:02

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:use...

9

CVE-2022-30617

  • EPSS 1.34%
  • Veröffentlicht 19.05.2022 18:15:09
  • Zuletzt bearbeitet 21.11.2024 07:03:02

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to t...

7.5

CVE-2021-46440

Exploit
  • EPSS 2.21%
  • Veröffentlicht 03.05.2022 18:15:08
  • Zuletzt bearbeitet 21.11.2024 06:34:04

Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie,...

9.8

CVE-2022-27263

Exploit
  • EPSS 3.06%
  • Veröffentlicht 12.04.2022 17:15:10
  • Zuletzt bearbeitet 21.11.2024 06:55:31

An arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 allows attackers to execute arbitrary code via a crafted file.