{"id": "GHSA-9P2W-RMX4-9MW7", "bulletinFamily": "software", "title": "Command Injection in strapi", "description": "Versions of `strapi` before 3.0.0-beta.17.8 are vulnerable to Command Injection. The package fails to sanitize plugin names in the `/admin/plugins/install/` route. This may allow an authenticated attacker with admin privileges to run arbitrary commands in the server.\n\n\n## Recommendation\n\nUpgrade to version 3.0.0-beta.17.8 or later", "published": "2020-09-04T16:54:02", "modified": "2020-09-04T16:54:02", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://github.com/advisories/GHSA-9p2w-rmx4-9mw7", "reporter": "GitHub Advisory Database", "references": ["https://github.com/advisories/GHSA-9p2w-rmx4-9mw7", "https://bittherapy.net/post/strapi-framework-remote-code-execution/"], "cvelist": [], "type": "github", "lastseen": "2020-09-04T20:50:38", "edition": 1, "viewCount": 8, "enchantments": {"dependencies": {"references": [{"type": "github", "idList": ["GHSA-9P2W-RMX4-9MW7"]}], "modified": "2020-09-04T20:50:38", "rev": 2}, "score": {"value": 6.3, "vector": "NONE", "modified": "2020-09-04T20:50:38", "rev": 2}, "vulnersScore": 6.3}, "affectedSoftware": [{"name": "strapi", "operator": "lt", "version": "3.0.0-beta.17.8"}]}

{}