CVE-2019-19609
CVE-2019-19609
Vexday Risk Score
57Attention
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
Exploit maturity
Proof of concept
Popular PoC on GitHub (9 stars) — exploitation code widely available.
CVSS —EPSS 54.1%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
05 Dec 2019Published on NVD
29 Aug 2021Public PoC
Weaponization speed
632 daysto first PoC
Recommendation: Patch as soon as possible — active exploitation confirmed.
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
Affected products
n/a · n/apublic PoCs found — 17
githubgithub.com/diego-tella/CVE-2019-19609-EXPLOIT★ 9githubgithub.com/ebadfd/CVE-2019-19609★ 7githubgithub.com/glowbase/CVE-2019-19609★ 2githubgithub.com/RamPanic/CVE-2019-19609-EXPLOIT★ 0githubgithub.com/n000xy/CVE-2019-19609-POC-Python★ 0githubgithub.com/guglia001/CVE-2019-19609★ 0githubgithub.com/D3m0nicw0lf/CVE-2019-19609★ 0vulncheckvulncheck.com/xdb/a629da38980eunverifiedvulncheckvulncheck.com/xdb/8c772fa0f6d4unverifiedcve_referencepacketstormsecurity.com/files/163940/Strapi-3.0.0-beta.17.7-Remote-Code-Execution.htmlunverifiedvulncheckvulncheck.com/xdb/e1bc6a4c6994unverifiedcve_referencepacketstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.htmlunverifiedexploitdbwww.exploit-db.com/exploits/50238unverifiedvulncheckvulncheck.com/xdb/2fda5db4c975unverifiedvulncheckvulncheck.com/xdb/f709935a6faaunverifiedvulncheckvulncheck.com/xdb/50265bd1c780unverifiedvulncheckvulncheck.com/xdb/010e050a13ddunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
References
http://packetstormsecurity.com/files/163940/Strapi-3.0.0-beta.17.7-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.htmlhttps://bittherapy.net/post/strapi-framework-remote-code-execution/https://github.com/strapi/strapi/pull/4636