Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
strapi strapi vulnerabilities and exploits
(subscribe to this query)
7.5
CVSSv2
CVE-2020-27664
admin/src/containers/InputModalStepperProvider/index.js in Strapi prior to 3.2.5 has unwanted /proxy?url= functionality.
Strapi Strapi
5
CVSSv2
CVE-2020-27665
In Strapi prior to 3.2.5, there is no admin::hasPermissions restriction for CTB (aka content-type-builder) routes.
Strapi Strapi
3.5
CVSSv2
CVE-2020-27666
Strapi prior to 3.2.5 has stored XSS in the wysiwyg editor's preview feature.
Strapi Strapi
NA
CVE-2023-34235
Strapi is an open-source headless content management system. Prior to version 4.10.8, it is possible to leak private fields if one is using the `t(number)` prefix. Knex query allows users to change the default prefix. For example, if someone changes the prefix to be the same as i...
Strapi Strapi
5
CVSSv2
CVE-2021-46440
Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi prior to 3.6.9 and 4.x prior to 4.1.5 allows an malicious user to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and ...
Strapi Strapi
NA
CVE-2023-39345
strapi is an open-source headless CMS. Versions before 4.13.1 did not properly restrict write access to fielded marked as private in the user registration endpoint. As such malicious users may be able to errantly modify their user records. This issue has been addressed in version...
Strapi Strapi
6
CVSSv2
CVE-2022-30618
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). There are man...
Strapi Strapi
NA
CVE-2023-36472
Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The `/content-manager/relations` route does not remove private fields or ensure th...
Strapi Strapi
NA
CVE-2023-37263
Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permission to see, the field w...
Strapi Strapi
NA
CVE-2023-38507
Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack i...
Strapi Strapi
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-30310
CVE-2024-21683
CVE-2024-22187
chrome
deserialization
XPath injection
CVE-2024-27842
denial of service
CVE-2024-24851
google
CVE-2024-35400
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
NEXT »