CVE-2022-32114

An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be able to upload PDF files containing JavaScript, and that all files in a public assets folder are accessible to the outside world (unless the filename begins with a dot character). The administrator can choose to allow only image, video, and audio files (i.e., not PDF) if desired.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
VendorProductVersion
strapistrapi
4.1.12
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://docs.strapi.io/dev-docs/configurations/public-assets
https://docs.strapi.io/user-docs/users-roles-permissions/configuring-administrator-roles
https://github.com/bypazs/strapi
https://github.com/strapi/strapi/blob/d9277d616b4478a3839e79e47330a4aaf167a2f1/packages/core/content-type-builder/admin/src/components/AllowedTypesSelect/index.js#L14
https://github.com/strapi/strapi/blob/d9277d616b4478a3839e79e47330a4aaf167a2f1/packages/core/upload/admin/src/components/MediaLibraryInput/index.js#L33
https://grimthereaperteam.medium.com/strapi-v4-1-12-unrestricted-file-upload-b993bfd07e4e
https://docs.strapi.io/dev-docs/configurations/public-assets
https://docs.strapi.io/user-docs/users-roles-permissions/configuring-administrator-roles
https://github.com/bypazs/strapi
https://github.com/strapi/strapi/blob/d9277d616b4478a3839e79e47330a4aaf167a2f1/packages/core/content-type-builder/admin/src/components/AllowedTypesSelect/index.js#L14
https://github.com/strapi/strapi/blob/d9277d616b4478a3839e79e47330a4aaf167a2f1/packages/core/upload/admin/src/components/MediaLibraryInput/index.js#L33
https://grimthereaperteam.medium.com/strapi-v4-1-12-unrestricted-file-upload-b993bfd07e4e