Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email template that bypasses the validation checks that should prevent code execution.
References
Link | Resource |
---|---|
https://github.com/strapi/strapi/releases | Release Notes |
https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve | Vendor Advisory |
https://www.ghostccamm.com/blog/multi_strapi_vulns/ | Exploit Third Party Advisory |
Configurations
History
01 May 2023, 18:09
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.2 |
CWE | CWE-74 | |
References | (MISC) https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve - Vendor Advisory | |
References | (MISC) https://github.com/strapi/strapi/releases - Release Notes | |
References | (MISC) https://www.ghostccamm.com/blog/multi_strapi_vulns/ - Exploit, Third Party Advisory | |
CPE | cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:* |
19 Apr 2023, 19:52
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-04-19 16:15
Updated : 2024-02-04 23:37
NVD link : CVE-2023-22621
Mitre link : CVE-2023-22621
CVE.ORG link : CVE-2023-22621
JSON object : View
Products Affected
strapi
- strapi
CWE
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')