Command Injection in strapi
High severity
GitHub Reviewed
Published
Sep 4, 2020
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Description
Reviewed
Aug 31, 2020
Published to the GitHub Advisory Database
Sep 4, 2020
Last updated
Jan 9, 2023
Versions of
strapi
before 3.0.0-beta.17.8 are vulnerable to Command Injection. The package fails to sanitize plugin names in the/admin/plugins/install/
route. This may allow an authenticated attacker with admin privileges to run arbitrary commands in the server.Recommendation
Upgrade to version 3.0.0-beta.17.8 or later
References