CVE-2022-29894 – strapi

Package

Manager: npm
Name: strapi
Vulnerable Version: >=0 <=3.6.10

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00476 pctl0.6397

Details

Cross-site Scripting in Strapi Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege.

Metadata

Created: 2022-06-14T00:00:38Z
Modified: 2022-06-24T00:53:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-mcqm-6ff4-53qx/GHSA-mcqm-6ff4-53qx.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-mcqm-6ff4-53qx
Finding: F425
Auto approve: 1