Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package strapi, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (12)
CVE-2020-27664 — CVSS 9.8 (critical): admin/src/containers/InputModalStepperProvider/index.js in Strapi before 3.2.5 has unwanted /proxy?url= functionality.
CVE-2019-18818 — CVSS 9.8 (critical): strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-p…
CVE-2022-27263 — CVSS 9.8 (critical): An arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 allows attackers to execute arbitrary code via a crafted…
CVE-2022-31367 — CVSS 8.8 (high): Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses.
CVE-2022-30617 — CVSS 8.8 (high): An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens…
CVE-2021-28128 — CVSS 8.1 (high): In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attacker who…
CVE-2021-46440 — CVSS 7.5 (high): Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an…
CVE-2022-30618 — CVSS 7.5 (high): An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens…
CVE-2019-19609 — CVSS 7.2 (high): The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the…
CVE-2020-13961 — CVSS 6.5 (medium): Strapi before 3.0.2 could allow a remote authenticated attacker to bypass security restrictions because templates are stored in a global…
CVE-2022-29894 — CVSS 4.8 (medium): Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this…