Filtered by vendor Strapi
Subscribe
Search
Total
6 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-48218 | 1 Strapi | 1 Protected Populate | 2023-11-29 | N/A | 5.3 MEDIUM |
| The Strapi Protected Populate Plugin protects `get` endpoints from revealing too much information. Prior to version 1.3.4, users were able to bypass the field level security. Users who tried to populate something that they didn't have access to could populate those fields anyway. This issue has been patched in version 1.3.4. There are no known workarounds. | |||||
| CVE-2022-0764 | 1 Strapi | 1 Strapi | 2022-07-22 | 7.2 HIGH | 6.7 MEDIUM |
| Arbitrary Command Injection in GitHub repository strapi/strapi prior to 4.1.0. | |||||
| CVE-2022-29894 | 1 Strapi | 1 Strapi | 2022-06-22 | 3.5 LOW | 4.8 MEDIUM |
| Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege. | |||||
| CVE-2020-27666 | 1 Strapi | 1 Strapi | 2020-10-27 | 3.5 LOW | 5.4 MEDIUM |
| Strapi before 3.2.5 has stored XSS in the wysiwyg editor's preview feature. | |||||
| CVE-2020-13961 | 1 Strapi | 1 Strapi | 2020-06-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Strapi before 3.0.2 could allow a remote authenticated attacker to bypass security restrictions because templates are stored in a global variable without any sanitation. By sending a specially crafted request, an attacker could exploit this vulnerability to update the email template for both password reset and account confirmation emails. | |||||
| CVE-2020-8123 | 1 Strapi | 1 Strapi | 2020-02-06 | 4.0 MEDIUM | 4.9 MEDIUM |
| A denial of service exists in strapi v3.0.0-beta.18.3 and earlier that can be abused in the admin console using admin rights can lead to arbitrary restart of the application. | |||||