Description
An unrestricted file upload vulnerability in the Add New Assets function of Strapi v4.1.12 allows attackers to execute arbitrary code via a crafted file. After an authenticated attacker uploads a file containing a malicious URL, a victim copies and pastes the malicious URL into a new tab to receive the XSS payload.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 4.1.12
References
- GHSA-4vm8-j95f-j6v5
- grimthereaperteam.medium.com
- docs.strapi.io
- CVE-2022-32114
- CWE-434
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A4
- OWASP 2021-A6
Related Issues
- Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
- @dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details - CVE-2022-39350
- Cross-site Scripting in Auth0 Lock - CVE-2022-29172
- Cross site scripting in mobiledoc-kit - CVE-2022-2932
- Tags:
- npm
- @strapi/strapi
Anything's wrong? Let us know Last updated on March 21, 2024