← back
CVE-2023-22621

CVE-2023-22621

CVSS 10 CRITICALEPSS 76.8%CWE-74
Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email template that bypasses the validation checks that should prevent code execution.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found1
githubgithub.com/sofianeelhor/CVE-2023-22621-POC25
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/strapi/strapi/releaseshttps://strapi.io/blog/security-disclosure-of-vulnerabilities-cvehttps://www.ghostccamm.com/blog/multi_strapi_vulns/