Description

Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege.

Remediation

References

https://github.com/strapi/strapi

https://jvn.jp/en/jp/JVN44550983/index.html

https://strapi.io/

Related Vulnerabilities

CVE-2022-41878 Vulnerability in npm package parse-server

CVE-2019-19771 Vulnerability in npm package hdeky

CVE-2020-7690 Vulnerability in maven package org.webjars.bower:jspdf

CVE-2016-10546 Vulnerability in maven package org.webjars:pouchdb

CVE-2021-42697 Vulnerability in maven package com.typesafe.akka:akka-http_2.13

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Tags

Product Third Party Advisory Vendor Advisory