Published: 13/07/2022 Updated: 17/05/2024

CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows malicious users to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be able to upload PDF files containing JavaScript, and that all files in a public assets folder are accessible to the outside world (unless the filename begins with a dot character). The administrator can choose to allow only image, video, and audio files (i.e., not PDF) if desired.

Vulnerable Product	Search on Vulmon	Subscribe to Product
strapi strapi 4.1.12

CWE-434 https://github.com/bypazs/strapi https://grimthereaperteam.medium.com/strapi-v4-1-12-unrestricted-file-upload-b993bfd07e4e https://docs.strapi.io/dev-docs/configurations/public-assets https://docs.strapi.io/user-docs/users-roles-permissions/configuring-administrator-roles https://github.com/strapi/strapi/blob/d9277d616b4478a3839e79e47330a4aaf167a2f1/packages/core/content-type-builder/admin/src/components/AllowedTypesSelect/index.js#L14 https://github.com/strapi/strapi/blob/d9277d616b4478a3839e79e47330a4aaf167a2f1/packages/core/upload/admin/src/components/MediaLibraryInput/index.js#L33 https://nvd.nist.gov

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2022-32114

Vulnerability Summary

Vulnerability Trend

References

Vulmon Search

About

Products

Connect