Strapi Security Vulnerabilities and Issues — Strapi CVE List

Lucene search

StrapiStrapi

9 matches found

CVE•added 2023/09/15 8:15 p.m.•2510 views

CVE-2023-38507

Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1...

9.8CVSS8.3AI score0.00255EPSS

CVE•added 2023/07/25 6:15 p.m.•2488 views

CVE-2023-34235

Strapi is an open-source headless content management system. Prior to version 4.10.8, it is possible to leak private fields if one is using the t(number) prefix. Knex query allows users to change the default prefix. For example, if someone changes the prefix to be the same as it was before or to an...

8.6CVSS7.8AI score0.01258EPSS

CVE•added 2023/04/19 4:15 p.m.•166 views

CVE-2023-22894

Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super admin access, then th...

4.9CVSS5.2AI score0.15192EPSS

CVE•added 2023/04/19 4:15 p.m.•148 views

CVE-2023-22621

Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email template that bypasses t...

7.2CVSS7.3AI score0.83441EPSS

CVE•added 2023/04/19 4:15 p.m.•111 views

CVE-2023-22893

Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that u...

7.5CVSS7.7AI score0.71416EPSS

CVE•added 2023/09/15 7:15 p.m.•90 views

CVE-2023-37263

Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permission to see, the field will still be visible. Ve...

6.8CVSS5AI score0.00085EPSS

CVE•added 2023/09/15 7:15 p.m.•48 views

CVE-2023-36472

Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The /content-manager/relations route does not remove private fields or ensure that they can't be sele...

5.8CVSS5.3AI score0.00137EPSS

CVE•added 2023/11/06 7:15 p.m.•44 views

CVE-2023-39345

strapi is an open-source headless CMS. Versions prior to 4.13.1 did not properly restrict write access to fielded marked as private in the user registration endpoint. As such malicious users may be able to errantly modify their user records. This issue has been addressed in version 4.13.1. Users ar...

7.6CVSS7.3AI score0.00079EPSS

CVE•added 2023/07/25 3:15 p.m.•38 views

CVE-2023-34093

Strapi is an open-source headless content management system. Prior to version 4.10.8, anyone (Strapi developers, users, plugins) can make every attribute of a Content-Type public without knowing it. The vulnerability only affects the handling of content types by Strapi, not the actual content types...

7.1CVSS5.8AI score0.00069EPSS