139 matches found
Denial-of-Service (DoS)
@strapi/plugin-upload is vulnerable to Denial-of-Service DoS. The vulnerability is due to the server crashing without restarting when handling errors, causing it to become unavailable for all clients until manually restarted...
@chargeover/strapi (=0.0.1-rc1.1), @cowprotocol/cms (=0.1.0-rc.5) +14 more potentially affected by CVE-2024-34065 via @strapi/plugin-users-permissions (>=4.0.0-beta.0 <=4.1.9)
@strapi/plugin-users-permissions NPM version =4.0.0-beta.0, =1.0.0-alpha.0, =0.0.1, =0.1.0, =0.1.10 - strapi-voting =0.2.1 - strapigo =0.1.0 - sveltekit-strapi =0.1.0 and more Source cves: CVE-2024-34065 Source advisory: OSV:GHSA-WRVH-RCMR-9QFC...
@beardeddudes/strapi-types (=0.1.0), @bimbeo160/admin (=4.12.2) +61 more potentially affected by CVE-2024-31217 via @strapi/plugin-upload (>=0.0.0-a230f29587d4a221c9c686ca4e467b3fb465631a <=4.21.1)
@strapi/plugin-upload NPM version =0.0.0-a230f29587d4a221c9c686ca4e467b3fb465631a, =4.12.2, =1.0.9, =1.0.0-alpha.0, =1.1.0, =4.12.4-lakileki.1, =3.5.2, =9.0.2 and more Source cves: CVE-2024-31217 Source advisory: OSV:GHSA-PM9Q-XJ9P-96PM...
CVE-2024-31217
CVE-2024-31217 is a DoS in Strapi’s media upload via @strapi/plugin-upload prior to version 4.22.0. The vulnerability can crash the server during file uploads without restart, affecting both development and production environments. The issue arises when errors are mishandled, causing the server t...
PT-2024-25676 · Strapi · @Strapi/Plugin-Users-Permissions
Name of the Vulnerable Software and Affected Versions: @strapi/plugin-users-permissions versions prior to 4.24.2 Description: The issue arises from combining two vulnerabilities in @strapi/plugin-users-permissions: an Open Redirect and a session token sent as a URL query parameter. This allows an...
Improper Authorization
strapi-plugin-protected-populate is vulnerable to Improper Authorization. The vulnerability is due to the protectPopulate function of protect-route.js, which allows a users to populate fields they don't have access, resulting in field-level security bypass...
@mattie-bundle/mattie-strapi-bundle-example (>=1.0.0-alpha.2 <=1.0.0-alpha.3), sneakmax (=0.1.0) +3 more potentially affected by CVE-2023-39345 via @strapi/plugin-users-permissions (>=4.0.2 <=4.11.2)
@strapi/plugin-users-permissions NPM version =4.0.2, =1.0.0-alpha.2, =1.0.0-alpha.3 - sneakmax =0.1.0 - sneakmaxtesttemplate =0.1.0 - sneakmaxtesttemplatev2 =0.1.0 - sveltekit-strapi =0.1.0 Source cves: CVE-2023-39345 Source advisory: OSV:GHSA-GC7P-J5XM-XXH2...
@mattie-bundle/mattie-strapi-bundle-example (>=1.0.0-alpha.0 <=1.0.0-alpha.3), sneakmax (=0.1.0) +3 more potentially affected by CVE-2023-38507 via @strapi/plugin-users-permissions (>=4.0.0-beta.0 <=4.11.2)
@strapi/plugin-users-permissions NPM version =4.0.0-beta.0, =1.0.0-alpha.0, =1.0.0-alpha.3 - sneakmax =0.1.0 - sneakmaxtesttemplate =0.1.0 - sneakmaxtesttemplatev2 =0.1.0 - sveltekit-strapi =0.1.0 Source cves: CVE-2023-38507 Source advisory: OSV:GHSA-24Q2-59HM-RH9R...
@antgineering-studio/strapi (=4.5.5), @beardeddudes/strapi-types (>=0.1.0 <=0.1.1) +126 more potentially affected by CVE-2023-22621 via @strapi/plugin-email (>=0.0.0-a230f29587d4a221c9c686ca4e467b3fb465631a <=4.5.5)
@strapi/plugin-email NPM version =0.0.0-a230f29587d4a221c9c686ca4e467b3fb465631a, =0.1.0, =1.0.1, =4.12.2, =1.0.0, =4.2.0, =4.2.2, =0.0.1, =1.0.1, =0.1.1, =1.0.9, =0.0.1, =0.0.5 and more Source cves: CVE-2023-22621 Source advisory: OSV:GHSA-2H87-4Q2W-V4HF...
@chargeover/strapi (=0.0.1-rc1.1), @cowprotocol/cms (=0.1.0-rc.5) +27 more potentially affected by CVE-2023-22893 via @strapi/plugin-users-permissions (>=4.0.0-beta.0 <=4.5.1)
@strapi/plugin-users-permissions NPM version =4.0.0-beta.0, =1.0.0-alpha.0, =2.1.0, =1.0.0, =0.1.1, =0.0.1, =0.1.0, =1.0.10, =4.3.15 - robsen-strapi-site =0.1.0 - sneakmax =0.1.0 and more Source cves: CVE-2023-22893 Source advisory: OSV:GHSA-583X-23H9-F5W7...
@chargeover/strapi (=0.0.1-rc1.1), @cowprotocol/cms (=0.1.0-rc.5) +27 more potentially affected by unknown CVE via @strapi/plugin-users-permissions (>=4.0.0-beta.0 <=4.5.1)
@strapi/plugin-users-permissions NPM version =4.0.0-beta.0, =1.0.0-alpha.0, =2.1.0, =1.0.0, =0.1.1, =0.0.1, =0.1.0, =1.0.10, =4.3.15 - robsen-strapi-site =0.1.0 - sneakmax =0.1.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-XV3Q-JRMM-4FXV...
Authentication Bypass
strapi-plugin-ezforms is vulnerable to authentication bypass. The vulnerability exists due to improper capture validation which allows a malicious user to login into the system using unauthorized capture...
GHSA-8MGQ-6R2Q-82W9 Captcha Bypass in strapi-plugin-ezforms
Impact Users using any captcha providers Patches 0.1.0 References Issue...
Captcha Bypass in strapi-plugin-ezforms
Impact Users using any captcha providers Patches 0.1.0 References Issue...
CVE-2021-46440
Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext password, leading to...
CVE-2021-46440
Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext password, leading to...
Insecure Authorization
strapi-plugin-content-type-builder suffers from insecure authorization. The admin::hasPermissions restriction for the content-type-builder CTB routes are not configured, allowing unauthorized access to the affected resources...
@koj/strapi (>=0.0.0 <=1.4.0), strapi-editorjs (=0.0.1) +1 more potentially affected by CVE-2020-27666 via strapi-plugin-content-manager (>=3.0.0-beta.18.7 <=3.1.6)
strapi-plugin-content-manager NPM version =3.0.0-beta.18.7, =0.0.0, =0.0.1-alpha.1, =0.0.1-alpha.2 Source cves: CVE-2020-27666 Source advisory: OSV:GHSA-QVP5-MM7V-4F36...
Unsecured Proxy
strapi-plugin-upload contains an unsecured proxy. An unauthenticated user is able to access the proxy without any authorization, allowing for access to other protected resources...