Vulnerabilities > Strapi
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-04-19 | CVE-2023-22621 | Injection vulnerability in Strapi Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. | 7.2 |
| 2023-04-19 | CVE-2023-22893 | Improper Authentication vulnerability in Strapi Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. | 7.5 |
| 2023-04-19 | CVE-2023-22894 | Cleartext Storage of Sensitive Information vulnerability in Strapi Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. | 4.9 |
| 2022-09-27 | CVE-2022-31367 | SQL Injection vulnerability in Strapi Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses. | 8.8 |
| 2022-07-13 | CVE-2022-32114 | Unrestricted Upload of File with Dangerous Type vulnerability in Strapi 4.1.12 An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. | 8.8 |
| 2022-06-13 | CVE-2022-29894 | Cross-site Scripting vulnerability in Strapi Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. | 4.8 |
| 2022-05-19 | CVE-2022-30617 | Improper Cross-boundary Removal of Sensitive Data vulnerability in Strapi An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. | 8.8 |
| 2022-05-19 | CVE-2022-30618 | Improper Cross-boundary Removal of Sensitive Data vulnerability in Strapi An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). | 7.5 |
| 2022-05-03 | CVE-2021-46440 | Insufficiently Protected Credentials vulnerability in Strapi Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext password, leading to getting API documentation for further API attacks. | 7.5 |
| 2022-04-12 | CVE-2022-27263 | Unrestricted Upload of File with Dangerous Type vulnerability in Strapi 4.1.5 An arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 allows attackers to execute arbitrary code via a crafted file. | 9.8 |