Description

Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege.

Remediation

References

https://github.com/strapi/strapi

https://jvn.jp/en/jp/JVN44550983/index.html

https://strapi.io/

Related Vulnerabilities

CVE-2017-12617 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2020-12648 Vulnerability in maven package org.webjars.bower:tinymce

CVE-2020-7733 Vulnerability in maven package org.webjars.bowergithub.faisalman:ua-parser-js

CVE-2019-19609 Vulnerability in npm package strapi

CVE-2019-10406 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Tags

Product Third Party Advisory Vendor Advisory