Lucene search
+L

692 matches found

cnvd
cnvd
added 2020/10/25 12:0 a.m.2 views

Strapi Cross-Site Scripting Vulnerability

Strapi is an open source headless content management system CMS. A cross-site scripting vulnerability exists in Strapi versions prior to 3.2.5, which stems from the fact that Strapi has stored XSS in the preview feature of the WYSIWYG editor, which can be exploited by an attacker to obtain user...

5.4CVSS5.7AI score0.00589EPSS
Exploits0References1
veracode
veracode
added 2020/10/23 8:33 a.m.21 views

Unsecured Proxy

strapi-plugin-upload contains an unsecured proxy. An unauthenticated user is able to access the proxy without any authorization, allowing for access to other protected resources...

9.8CVSS4.2AI score0.02264EPSS
Exploits0References3Affected Software1
veracode
veracode
added 2020/10/23 7:12 a.m.13 views

Insecure Proxy

strapi uses insecure proxy. The vulnerability exists because access to proxy gives insecure access...

3AI score
Exploits0
nvd
nvd
added 2020/10/22 7:15 p.m.17 views

CVE-2020-27664

admin/src/containers/InputModalStepperProvider/index.js in Strapi before 3.2.5 has unwanted /proxy?url= functionality...

9.8CVSS0.02264EPSS
Exploits0References2
nvd
nvd
added 2020/10/22 7:15 p.m.13 views

CVE-2020-27665

In Strapi before 3.2.5, there is no admin::hasPermissions restriction for CTB aka content-type-builder routes...

7.5CVSS0.01195EPSS
Exploits0References2
osv
osv
added 2020/10/22 7:15 p.m.10 views

CVE-2020-27666

Strapi before 3.2.5 has stored XSS in the wysiwyg editor's preview feature...

5.4CVSS5.7AI score
Exploits0References2
osv
osv
added 2020/10/22 7:15 p.m.15 views

CVE-2020-27665

In Strapi before 3.2.5, there is no admin::hasPermissions restriction for CTB aka content-type-builder routes...

7.5CVSS6.9AI score
Exploits0References2
nvd
nvd
added 2020/10/22 7:15 p.m.24 views

CVE-2020-27666

Strapi before 3.2.5 has stored XSS in the wysiwyg editor's preview feature...

5.4CVSS0.00589EPSS
Exploits0References2
osv
osv
added 2020/10/22 7:15 p.m.14 views

CVE-2020-27664

admin/src/containers/InputModalStepperProvider/index.js in Strapi before 3.2.5 has unwanted /proxy?url= functionality...

9.8CVSS6.8AI score
Exploits0References2
prion
prion
added 2020/10/22 7:15 p.m.17 views

Code injection

admin/src/containers/InputModalStepperProvider/index.js in Strapi before 3.2.5 has unwanted /proxy?url= functionality...

7.5CVSS9.4AI score0.02264EPSS
Exploits0References2Affected Software1
prion
prion
added 2020/10/22 7:15 p.m.11 views

Cross site scripting

Strapi before 3.2.5 has stored XSS in the wysiwyg editor's preview feature...

3.5CVSS5.1AI score0.00589EPSS
Exploits0References2Affected Software1
prion
prion
added 2020/10/22 7:15 p.m.16 views

Design/Logic Flaw

In Strapi before 3.2.5, there is no admin::hasPermissions restriction for CTB aka content-type-builder routes...

5CVSS7.6AI score0.01195EPSS
Exploits0References2Affected Software1
cvelist
cvelist
added 2020/10/22 6:19 p.m.20 views

CVE-2020-27664

admin/src/containers/InputModalStepperProvider/index.js in Strapi before 3.2.5 has unwanted /proxy?url= functionality...

9.5AI score0.02264EPSS
Exploits0References2
cve
cve
added 2020/10/22 6:19 p.m.62 views

CVE-2020-27664

Strapi prior to 3.2.5 contains a vulnerability in admin/src/containers/InputModalStepperProvider/index.js enabling an unwanted proxy/ URL parameter handling ("/proxy?url=") that could be abused. Public sources (NVD entry CVE-2020-27664, Red Hat advisory, GitHub/OSSV and GHSA) document this as an ...

9.8CVSS9.3AI score0.02264EPSS
Exploits0References2Affected Software1
cvelist
cvelist
added 2020/10/22 6:19 p.m.21 views

CVE-2020-27665

In Strapi before 3.2.5, there is no admin::hasPermissions restriction for CTB aka content-type-builder routes...

7.5AI score0.01195EPSS
Exploits0References2
cve
cve
added 2020/10/22 6:19 p.m.60 views

CVE-2020-27665

CVE-2020-27665 affects Strapi before 3.2.5, where the admin::hasPermissions restriction is not enforced for CTB (content-type-builder) routes. The root cause is missing authorization controls on CTB routes, enabling potential unauthorized access to resources via CTB endpoints. Public details in c...

7.5CVSS7.5AI score0.01195EPSS
Exploits0References2Affected Software1
cvelist
cvelist
added 2020/10/22 6:19 p.m.26 views

CVE-2020-27666

Strapi before 3.2.5 has stored XSS in the wysiwyg editor's preview feature...

5.2AI score0.00589EPSS
Exploits0References2
cve
cve
added 2020/10/22 6:19 p.m.59 views

CVE-2020-27666

Strapi before 3.2.5 is affected by a stored XSS in the WYSIWYG editor’s preview feature. The vulnerability arises from unvalidated input being stored and subsequently rendered, enabling an attacker to inject scripts that run in a victim’s browser. A fix is available in Strapi 3.2.5 (see reference...

5.4CVSS5.1AI score0.00589EPSS
Exploits0References2Affected Software1
osv
osv
added 2020/09/04 4:54 p.m.18 views

GHSA-9P2W-RMX4-9MW7 Command Injection in strapi

Versions of strapi before 3.0.0-beta.17.8 are vulnerable to Command Injection. The package fails to sanitize plugin names in the /admin/plugins/install/ route. This may allow an authenticated attacker with admin privileges to run arbitrary commands in the server. Recommendation Upgrade to version...

7.2CVSS7.3AI score0.54081EPSS
Exploits11References7
github
github
added 2020/09/04 4:54 p.m.26 views

Command Injection in strapi

Versions of strapi before 3.0.0-beta.17.8 are vulnerable to Command Injection. The package fails to sanitize plugin names in the /admin/plugins/install/ route. This may allow an authenticated attacker with admin privileges to run arbitrary commands in the server. Recommendation Upgrade to version...

9CVSS6.3AI score0.54081EPSS
Exploits11References7Affected Software1
Rows per page
Query Builder