Vulmon
Recent Vulnerabilities
Product List
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
strapi strapi vulnerabilities and exploits
(subscribe to this query)
9.8
CVSSv3
CVE-2019-18818
strapi prior to 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.
Strapi Strapi
Strapi Strapi 3.0.0
8 Github repositories
4.9
CVSSv3
CVE-2020-8123
A denial of service exists in strapi v3.0.0-beta.18.3 and previous versions that can be abused in the admin console using admin rights can lead to arbitrary restart of the application.
Strapi Strapi
Strapi Strapi 3.0.0
7.2
CVSSv3
CVE-2019-19609
The Strapi framework prior to 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa func...
Strapi Strapi
Strapi Strapi 3.0.0
9 Github repositories
8.8
CVSSv3
CVE-2022-30617
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. For exa...
Strapi Strapi 4.0.0
Strapi Strapi
8.8
CVSSv3
CVE-2022-31367
Strapi prior to 3.6.10 and 4.x prior to 4.1.10 mishandles hidden attributes within admin API responses.
Strapi Strapi
7.5
CVSSv3
CVE-2023-34235
Strapi is an open-source headless content management system. Prior to version 4.10.8, it is possible to leak private fields if one is using the `t(number)` prefix. Knex query allows users to change the default prefix. For example, if someone changes the prefix to be the same as i...
Strapi Strapi
8.1
CVSSv3
CVE-2021-28128
In Strapi up to and including 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password.
Strapi Strapi
5.7
CVSSv3
CVE-2023-36472
Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The `/content-manager/relations` route does not remove private fields or ensure th...
Strapi Strapi
7.2
CVSSv3
CVE-2023-22621
Strapi up to and including 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an...
Strapi Strapi
3 Github repositories
9.8
CVSSv3
CVE-2023-38507
Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack i...
Strapi Strapi
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-3080
log injection
CVE-2024-6041
CVE-2024-37661
XML external entity
CVE-2024-0845
privilege escalation
CVE-2023-37057
CVE-2024-27801
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
NEXT »