692 matches found
Strapi Cross-Site Scripting Vulnerability
Strapi is an open source headless content management system CMS. A cross-site scripting vulnerability exists in Strapi versions prior to 3.2.5, which stems from the fact that Strapi has stored XSS in the preview feature of the WYSIWYG editor, which can be exploited by an attacker to obtain user...
Unsecured Proxy
strapi-plugin-upload contains an unsecured proxy. An unauthenticated user is able to access the proxy without any authorization, allowing for access to other protected resources...
Insecure Proxy
strapi uses insecure proxy. The vulnerability exists because access to proxy gives insecure access...
CVE-2020-27664
admin/src/containers/InputModalStepperProvider/index.js in Strapi before 3.2.5 has unwanted /proxy?url= functionality...
CVE-2020-27665
In Strapi before 3.2.5, there is no admin::hasPermissions restriction for CTB aka content-type-builder routes...
CVE-2020-27666
Strapi before 3.2.5 has stored XSS in the wysiwyg editor's preview feature...
CVE-2020-27665
In Strapi before 3.2.5, there is no admin::hasPermissions restriction for CTB aka content-type-builder routes...
CVE-2020-27666
Strapi before 3.2.5 has stored XSS in the wysiwyg editor's preview feature...
CVE-2020-27664
admin/src/containers/InputModalStepperProvider/index.js in Strapi before 3.2.5 has unwanted /proxy?url= functionality...
Code injection
admin/src/containers/InputModalStepperProvider/index.js in Strapi before 3.2.5 has unwanted /proxy?url= functionality...
Cross site scripting
Strapi before 3.2.5 has stored XSS in the wysiwyg editor's preview feature...
Design/Logic Flaw
In Strapi before 3.2.5, there is no admin::hasPermissions restriction for CTB aka content-type-builder routes...
CVE-2020-27664
admin/src/containers/InputModalStepperProvider/index.js in Strapi before 3.2.5 has unwanted /proxy?url= functionality...
CVE-2020-27664
Strapi prior to 3.2.5 contains a vulnerability in admin/src/containers/InputModalStepperProvider/index.js enabling an unwanted proxy/ URL parameter handling ("/proxy?url=") that could be abused. Public sources (NVD entry CVE-2020-27664, Red Hat advisory, GitHub/OSSV and GHSA) document this as an ...
CVE-2020-27665
In Strapi before 3.2.5, there is no admin::hasPermissions restriction for CTB aka content-type-builder routes...
CVE-2020-27665
CVE-2020-27665 affects Strapi before 3.2.5, where the admin::hasPermissions restriction is not enforced for CTB (content-type-builder) routes. The root cause is missing authorization controls on CTB routes, enabling potential unauthorized access to resources via CTB endpoints. Public details in c...
CVE-2020-27666
Strapi before 3.2.5 has stored XSS in the wysiwyg editor's preview feature...
CVE-2020-27666
Strapi before 3.2.5 is affected by a stored XSS in the WYSIWYG editor’s preview feature. The vulnerability arises from unvalidated input being stored and subsequently rendered, enabling an attacker to inject scripts that run in a victim’s browser. A fix is available in Strapi 3.2.5 (see reference...
GHSA-9P2W-RMX4-9MW7 Command Injection in strapi
Versions of strapi before 3.0.0-beta.17.8 are vulnerable to Command Injection. The package fails to sanitize plugin names in the /admin/plugins/install/ route. This may allow an authenticated attacker with admin privileges to run arbitrary commands in the server. Recommendation Upgrade to version...
Command Injection in strapi
Versions of strapi before 3.0.0-beta.17.8 are vulnerable to Command Injection. The package fails to sanitize plugin names in the /admin/plugins/install/ route. This may allow an authenticated attacker with admin privileges to run arbitrary commands in the server. Recommendation Upgrade to version...