Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
strapi strapi vulnerabilities and exploits
(subscribe to this query)
4
CVSSv2
CVE-2020-8123
A denial of service exists in strapi v3.0.0-beta.18.3 and previous versions that can be abused in the admin console using admin rights can lead to arbitrary restart of the application.
Strapi Strapi
Strapi Strapi 3.0.0
9
CVSSv2
CVE-2022-30617
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. For exa...
Strapi Strapi 4.0.0
Strapi Strapi
7.5
CVSSv2
CVE-2019-18818
strapi prior to 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.
Strapi Strapi
Strapi Strapi 3.0.0
8 Github repositories
9
CVSSv2
CVE-2019-19609
The Strapi framework prior to 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa func...
Strapi Strapi
Strapi Strapi 3.0.0
9 Github repositories
NA
CVE-2022-31367
Strapi prior to 3.6.10 and 4.x prior to 4.1.10 mishandles hidden attributes within admin API responses.
Strapi Strapi
NA
CVE-2023-37263
Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permission to see, the field w...
Strapi Strapi
NA
CVE-2023-22621
Strapi up to and including 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an...
Strapi Strapi
3 Github repositories
NA
CVE-2023-22894
Strapi up to and including 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker ...
Strapi Strapi
1 Github repository
7.5
CVSSv2
CVE-2020-27664
admin/src/containers/InputModalStepperProvider/index.js in Strapi prior to 3.2.5 has unwanted /proxy?url= functionality.
Strapi Strapi
5
CVSSv2
CVE-2020-27665
In Strapi prior to 3.2.5, there is no admin::hasPermissions restriction for CTB (aka content-type-builder) routes.
Strapi Strapi
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
firewall
CVE-2024-35649
stored XSS
CVE-2022-28654
CVE-2020-35153
CVE-2024-27348
CVE-2022-28652
local users
CVE-2017-3506
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
NEXT »