CVE-2022-29894
MEDIUMStrapi v3.x.x - Stored Cross-Site Scripting in File Upload Function
Title source: llmDescription
Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_misc
https://strapi.io/
Product, Third Party Advisory x_refsource_misc
https://github.com/strapi/strapi
Third Party Advisory x_refsource_misc
https://jvn.jp/en/jp/JVN44550983/index.html
Scores
CVSS v3
4.8
EPSS
0.0048
EPSS Percentile
65.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
npm/strapi
0npm
strapi/strapi
< 3.6.10
Published
Jun 13, 2022
Tracked Since
Feb 18, 2026