Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
strapi vulnerabilities and exploits
(subscribe to this query)
9.8
CVSSv3
CVE-2019-18818
strapi prior to 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.
Strapi Strapi
Strapi Strapi 3.0.0
8 Github repositories
4.9
CVSSv3
CVE-2020-8123
A denial of service exists in strapi v3.0.0-beta.18.3 and previous versions that can be abused in the admin console using admin rights can lead to arbitrary restart of the application.
Strapi Strapi
Strapi Strapi 3.0.0
8.8
CVSSv3
CVE-2022-30617
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. For exa...
Strapi Strapi 4.0.0
Strapi Strapi
7.2
CVSSv3
CVE-2019-19609
The Strapi framework prior to 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa func...
Strapi Strapi
Strapi Strapi 3.0.0
9 Github repositories
7.2
CVSSv3
CVE-2023-22621
Strapi up to and including 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an...
Strapi Strapi
3 Github repositories
7.5
CVSSv3
CVE-2021-46440
Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi prior to 3.6.9 and 4.x prior to 4.1.5 allows an malicious user to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and ...
Strapi Strapi
9.8
CVSSv3
CVE-2020-27664
admin/src/containers/InputModalStepperProvider/index.js in Strapi prior to 3.2.5 has unwanted /proxy?url= functionality.
Strapi Strapi
2.7
CVSSv3
CVE-2023-37263
Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permission to see, the field w...
Strapi Strapi
4.8
CVSSv3
CVE-2022-29894
Strapi v3.x.x versions and previous versions contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative ...
Strapi Strapi
7.5
CVSSv3
CVE-2022-30618
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). There are man...
Strapi Strapi
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
authentication bypass
CVE-2024-30051
remote
CVE-2024-27954
CVE-2023-51483
CVE-2023-47782
SSRF
CVE-2024-24715
CVE-2023-52424
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
NEXT »