- Strapi issued a security alert, advising the users to upgrade their Strapi version to 4.x.x
- The Strapi 3.x.x version expired in December 2022.
- The platform added that the vulnerabilities could be misused by the attackers.
Strapi, the open-source headless Content Management System (CMS) issued a security disclosure of vulnerabilities alerting users to upgrade their Strapi version 3.x.x as it expired on December 31, 2022. The platform cautioned the users to immediately get updated to the 4.x.x version if their current version is 3.x.x or below.
Subsequent to the security alert, the Chinese reporter Collin Wu, invited the attention of the Twitter community by posting on his official page, Wu Blockchain, creating awareness of the issue:
Notably, the reporter added that the vulnerability could be misused by the attackers to take over the Admin accounts; he suggested that it would be better to upgrade as soon as possible as there exists a “large number of projects in the cryptocurrency industry” depending on the project.
Significantly, Strapi proclaimed that the researcher reported on December 29, 2022, that the server-side template injection (SSTI) vulnerability has been impacting their users-permission plugin’s email template system.
In detail, the SSTI vulnerability facilitated the modification of the default email template, executing “malicious code” through remote code execution (RCE).
It is noteworthy that Strapi wasn’t interested in elaborating on the in-depth details of the vulnerabilities, instead, the platform wanted to “communicate on the IoCs (indicators of compromise)”, thereby directing the users to analyze whether they have been affected.
Further, Strapi notified that the vulnerability is likely to affect all the Strapi v3 and Strapi v4 versions prior to v4.5.6, and advised the users to upgrade beyond v4.8.0.
Post Views: 4
Source: https://coinedition.com/cms-strapi-issues-security-disclosure-of-vulnerabilities/