Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
strapi vulnerabilities and exploits
(subscribe to this query)
NA
CVE-2023-22893
Strapi up to and including 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authe...
Strapi Strapi
NA
CVE-2023-22894
Strapi up to and including 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker ...
Strapi Strapi
1 Github repository
NA
CVE-2023-22621
Strapi up to and including 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an...
Strapi Strapi
3 Github repositories
NA
CVE-2023-36472
Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The `/content-manager/relations` route does not remove private fields or ensure th...
Strapi Strapi
6
CVSSv2
CVE-2022-30618
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). There are man...
Strapi Strapi
NA
CVE-2023-34093
Strapi is an open-source headless content management system. Prior to version 4.10.8, anyone (Strapi developers, users, plugins) can make every attribute of a Content-Type public without knowing it. The vulnerability only affects the handling of content types by Strapi, not the a...
Strapi Strapi
NA
CVE-2023-34235
Strapi is an open-source headless content management system. Prior to version 4.10.8, it is possible to leak private fields if one is using the `t(number)` prefix. Knex query allows users to change the default prefix. For example, if someone changes the prefix to be the same as i...
Strapi Strapi
5
CVSSv2
CVE-2021-46440
Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi prior to 3.6.9 and 4.x prior to 4.1.5 allows an malicious user to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and ...
Strapi Strapi
3.5
CVSSv2
CVE-2022-29894
Strapi v3.x.x versions and previous versions contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative ...
Strapi Strapi
NA
CVE-2023-37263
Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permission to see, the field w...
Strapi Strapi
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27322
cross-site request forgery
unauthorized
CVE-2024-33925
reflected XSS
CVE-2023-51580
CVE-2023-51579
CVE-2015-2051
CVE-2023-51609
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
NEXT »