Description
An unrestricted file upload vulnerability in the Add New Assets function of Strapi v4.1.12 allows attackers to execute arbitrary code via a crafted file. After an authenticated attacker uploads a file containing a malicious URL, a victim copies and pastes the malicious URL into a new tab to receive the XSS payload.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 4.1.12
References
- GHSA-4vm8-j95f-j6v5
- grimthereaperteam.medium.com
- docs.strapi.io
- CVE-2022-32114
- CWE-434
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A4
- OWASP 2021-A6
Related Issues
- @dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details - CVE-2022-39350
- Cross-site Scripting in fullpage.js - CVE-2022-1330
- Cross-site Scripting in tableexport.jquery.plugin - CVE-2022-1291
- Cross-site Scripting in vditor - CVE-2022-0350
- Tags:
- npm
- @strapi/strapi
Anything's wrong? Let us know Last updated on March 21, 2024