Unrestricted File Upload Vulnerability in Strapi by Strapi
CVE-2022-32114

8.8HIGH

Key Information:

Vendor: Strapi
Status: Strapi
Vendor: CVE Published:; 13 July 2022

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2022-32114?

The Add New Assets function in Strapi version 4.1.12 is susceptible to an unrestricted file upload vulnerability. This flaw allows attackers to upload malicious PDF files that can be leveraged to execute cross-site scripting (XSS) attacks. The design permits any file type within the Media Library if the user has the necessary permissions. Administrators can restrict uploaded file types to images, videos, and audios. However, if the public assets configuration is not secured, uploaded files may be accessible externally, posing significant security risks.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-32114
Created by bypazs

References

https://github.com/bypazs/strapi

https://grimthereaperteam.medium.com/strapi-v4-1-12-unres...

https://docs.strapi.io/dev-docs/configurations/public-assets

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 13, 2022
Vulnerability Reserved
May 31, 2022
🟡
Public PoC available
May 29, 2022
👾
Exploit known to exist
May 29, 2022

CVE-2022-32114 Data

JSON