CVE-2023-22621

2023-04-1916:15:07

Google

osv.dev

strapi

ssti

remote code execution

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.6 High

AI Score

Confidence

High

0.007 Low

EPSS

Percentile

79.6%

JSON

Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email template that bypasses the validation checks that should prevent code execution.

CPENameOperatorVersion
strapieq4.0.0-beta.3
strapieq3.3.3
strapieq4.4.4
strapieq4.1.6
strapieq3.4.5
strapieq3.0.6
strapieq4.4.3
strapieq3.6.0
strapieq3.1.0
strapieq3.4.3