Description
An unrestricted file upload vulnerability in the Add New Assets function of Strapi v4.1.12 allows attackers to execute arbitrary code via a crafted file. After an authenticated attacker uploads a file containing a malicious URL, a victim copies and pastes the malicious URL into a new tab to receive the XSS payload.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 4.1.12
References
- GHSA-4vm8-j95f-j6v5
- grimthereaperteam.medium.com
- docs.strapi.io
- CVE-2022-32114
- CWE-434
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A4
- OWASP 2021-A6
Related Issues
- Prototype Pollution in lodash (GHSA-jf85-cpcp-j695) - CVE-2019-10744
- jquery-validation vulnerable to Cross-site Scripting - CVE-2025-3573
- @mozilla/readability Denial of Service through Regex - CVE-2025-2792
- ejson shell parser in MongoDB Compass maybe bypassed - CVE-2024-6376
- Tags:
- npm
- @strapi/strapi
Anything's wrong? Let us know Last updated on March 21, 2024