CVE-2022-29894: XSS
First published: Mon Jun 13 2022(Updated: )
Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege.
Credit: vultures@jpcert.or.jp
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Strapi Strapi | <=3.6.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2022-29894.
What is the severity of CVE-2022-29894?
The severity of CVE-2022-29894 is medium with a severity value of 4.8.
What software versions are affected by CVE-2022-29894?
Strapi v3.x.x versions and earlier, up to and including version 3.6.10, are affected by CVE-2022-29894.
What is the impact of CVE-2022-29894?
By exploiting CVE-2022-29894, an arbitrary script may be executed on the web browser of a user with administrative privileges logging in to the Strapi product.
How can CVE-2022-29894 be fixed?
To fix CVE-2022-29894, it is recommended to update Strapi to a version beyond 3.6.10, where the vulnerability has been patched.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/references
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/tags
- agent/event
- agent/source
- vendor/strapi
- canonical/strapi strapi
- version/strapi strapi/3.6.10