** DISPUTED ** An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be able to upload PDF files containing JavaScript, and that all files in a public assets folder are accessible to the outside world (unless the filename begins with a dot character). The administrator can choose to allow only image, video, and audio files (i.e., not PDF) if desired.
References
Configurations
History
19 May 2023, 18:15
Type | Values Removed | Values Added |
---|---|---|
Summary | ** DISPUTED ** An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be able to upload PDF files containing JavaScript, and that all files in a public assets folder are accessible to the outside world (unless the filename begins with a dot character). The administrator can choose to allow only image, video, and audio files (i.e., not PDF) if desired. | |
References |
|
25 Jul 2022, 12:33
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-434 | |
CPE | cpe:2.3:a:strapi:strapi:4.1.12:-:*:*:*:*:*:* | |
References | (MISC) https://grimthereaperteam.medium.com/strapi-v4-1-12-unrestricted-file-upload-b993bfd07e4e - Exploit, Third Party Advisory | |
References | (MISC) https://github.com/bypazs/strapi - Product | |
CVSS |
v2 : v3 : |
v2 : 6.5
v3 : 8.8 |
13 Jul 2022, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-07-13 21:15
Updated : 2024-08-03 08:15
NVD link : CVE-2022-32114
Mitre link : CVE-2022-32114
CVE.ORG link : CVE-2022-32114
JSON object : View
Products Affected
strapi
- strapi
CWE
CWE-434
Unrestricted Upload of File with Dangerous Type