Vulnerabilities > Strapi > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-06-12 | CVE-2024-31217 | Unspecified vulnerability in Strapi Strapi is an open-source content management system. | 6.5 |
| 2023-11-20 | CVE-2023-48218 | Incorrect Authorization vulnerability in Strapi Protected Populate The Strapi Protected Populate Plugin protects `get` endpoints from revealing too much information. | 5.3 |
| 2023-09-15 | CVE-2023-36472 | Information Exposure vulnerability in Strapi Strapi is an open-source headless content management system. | 5.7 |
| 2023-04-19 | CVE-2023-22894 | Cleartext Storage of Sensitive Information vulnerability in Strapi Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. | 4.9 |
| 2022-05-19 | CVE-2022-30618 | Improper Cross-boundary Removal of Sensitive Data vulnerability in Strapi An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). | 6.0 |
| 2022-05-03 | CVE-2021-46440 | Insufficiently Protected Credentials vulnerability in Strapi Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext password, leading to getting API documentation for further API attacks. | 5.0 |
| 2022-02-26 | CVE-2022-0764 | Unspecified vulnerability in Strapi Arbitrary Command Injection in GitHub repository strapi/strapi prior to 4.1.0. | 6.7 |
| 2021-05-06 | CVE-2021-28128 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Strapi In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. | 5.5 |
| 2020-10-22 | CVE-2020-27665 | Incorrect Default Permissions vulnerability in Strapi In Strapi before 3.2.5, there is no admin::hasPermissions restriction for CTB (aka content-type-builder) routes. | 5.0 |
| 2020-06-19 | CVE-2020-13961 | Improper Input Validation vulnerability in Strapi Strapi before 3.0.2 could allow a remote authenticated attacker to bypass security restrictions because templates are stored in a global variable without any sanitation. | 4.0 |