13 matches found
Malicious Package
Overview strapi-plugin-config is a malicious package. This package contains malicious code that conceals a command-and-control agent and credential harvester. A malicious actor published a coordinated campaign of thirty-six packages disguised as community Strapi CMS plugins. These packages aren't...
The vulnerability of the Strapi content management system, related to the lack of protective measures for web pages, allows a hacker to execute arbitrary JavaScript code.
The vulnerability of the CMS Strapi content management platform, related to the lack of security measures for web pages. Exploiting this vulnerability allows a malicious actor to execute arbitrary JavaScript code by loading a specially crafted PDF file remotely...
Strapi CMS Unauthenticated Password Reset
This module abuses the mishandling of a password reset request for Strapi CMS version 3.0.0-beta.17.4 to change the password of the admin user. Successfully tested against Strapi CMS version 3.0.0-beta.17.4. Module Options msf use auxiliary/scanner/http/strapi3passwordreset msf...
Strapi < 4.8.0 Private Fields Sensitive Information Disclosure
Strapi is a popular open-source headless Content Management System CMS written in Node.js. Strapi versions before 4.8.0 suffer from an information disclosure vulnerability through collections private fields. By manipulating public collections query filters, a remote and unauthenticated attacker c...
CVE-2023-39345 Unauthorized Access to Private Fields in User Registration API in strapi
strapi is an open-source headless CMS. Versions prior to 4.13.1 did not properly restrict write access to fielded marked as private in the user registration endpoint. As such malicious users may be able to errantly modify their user records. This issue has been addressed in version 4.13.1. Users...
Design/Logic Flaw
Strapi is an open-source headless content management system. Prior to version 4.10.8, it is possible to leak private fields if one is using the tnumber prefix. Knex query allows users to change the default prefix. For example, if someone changes the prefix to be the same as it was before or to...
Strapi 跨站脚本漏洞
Strapi is an open source content management system CMS. Strapi suffers from a cross-site scripting vulnerability that stems from insufficient filtering of user-supplied data in the file upload function, which can be exploited by remote attackers to inject and execute arbitrary HTML and script cod...
Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) Exploit
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule "Strapi CMS 3.0.0-beta.17.4 - Set Password Unauthenticated Metasploit", 'Description' = %q This exploit module abuses the...
Strapi CMS 3.0.0-beta.17.4 Privilege Escalation
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule "Strapi CMS 3.0.0-beta.17.4 - Set Password Unauthenticated Metasploit", 'Description' = %q This exploit module abuses the...
Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule "Strapi CMS 3.0.0-beta.17.4 - Set Password Unauthenticated Metasploit", 'Description' = %q This exploit module abuses the...
Strapi CMS 3.0.0-beta.17.4 Remote Code Execution
Exploit Title: Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution RCE Unauthenticated Date: 2021-08-30 Exploit Author: Musyoka Ian Vendor Homepage: https://strapi.io/ Software Link: https://strapi.io/ Version: Strapi CMS version 3.0.0-beta.17.4 or lower Tested on: Ubuntu 20.04 CVE : CVE-2019-1881...
Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (Unauthenticated) Exploit
Exploit Title: Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution RCE Unauthenticated Exploit Author: Musyoka Ian Vendor Homepage: https://strapi.io/ Software Link: https://strapi.io/ Version: Strapi CMS version 3.0.0-beta.17.4 or lower Tested on: Ubuntu 20.04 CVE : CVE-2019-18818, CVE-2019-19609...
Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)
Exploit Title: Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution RCE Unauthenticated Date: 2021-08-30 Exploit Author: Musyoka Ian Vendor Homepage: https://strapi.io/ Software Link: https://strapi.io/ Version: Strapi CMS version 3.0.0-beta.17.4 or lower Tested on: Ubuntu 20.04 CVE : CVE-2019-1881...