Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
strapi vulnerabilities and exploits
(subscribe to this query)
7.5
CVSSv3
CVE-2023-22893
Strapi up to and including 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authe...
Strapi Strapi
4.9
CVSSv3
CVE-2023-22894
Strapi up to and including 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker ...
Strapi Strapi
1 Github repository
6.7
CVSSv3
CVE-2022-0764
Arbitrary Command Injection in GitHub repository strapi/strapi before 4.1.0.
Strapi Strapi
7.5
CVSSv3
CVE-2023-34235
Strapi is an open-source headless content management system. Prior to version 4.10.8, it is possible to leak private fields if one is using the `t(number)` prefix. Knex query allows users to change the default prefix. For example, if someone changes the prefix to be the same as i...
Strapi Strapi
2.7
CVSSv3
CVE-2023-37263
Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permission to see, the field w...
Strapi Strapi
7.2
CVSSv3
CVE-2023-22621
Strapi up to and including 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an...
Strapi Strapi
3 Github repositories
7.5
CVSSv3
CVE-2020-27665
In Strapi prior to 3.2.5, there is no admin::hasPermissions restriction for CTB (aka content-type-builder) routes.
Strapi Strapi
7.5
CVSSv3
CVE-2023-39345
strapi is an open-source headless CMS. Versions before 4.13.1 did not properly restrict write access to fielded marked as private in the user registration endpoint. As such malicious users may be able to errantly modify their user records. This issue has been addressed in version...
Strapi Strapi
9.8
CVSSv3
CVE-2020-27664
admin/src/containers/InputModalStepperProvider/index.js in Strapi prior to 3.2.5 has unwanted /proxy?url= functionality.
Strapi Strapi
5.4
CVSSv3
CVE-2020-27666
Strapi prior to 3.2.5 has stored XSS in the wysiwyg editor's preview feature.
Strapi Strapi
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
camera
bypass
CVE-2024-3592
CVE-2024-37383
CVE-2024-24919
CVE-2024-27822
CVE-2024-36788
CVE-2024-36789
man-in-the-middle
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
NEXT »