Description

Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege.

Remediation

References

https://github.com/strapi/strapi

https://jvn.jp/en/jp/JVN44550983/index.html

https://strapi.io/

Related Vulnerabilities

CVE-2022-32114 Vulnerability in npm package @strapi/strapi

CVE-2018-11775 Vulnerability in maven package org.apache.activemq:activemq-core

CVE-2018-16475 Vulnerability in npm package knightjs

CVE-2023-33202 Vulnerability in maven package org.bouncycastle:bcprov-jdk18on

CVE-2022-45387 Vulnerability in maven package org.jenkins-ci.plugins:bart

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Tags

Product Third Party Advisory Vendor Advisory