N/A

An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be able to upload PDF files containing JavaScript, and that all files in a public assets folder are accessible to the outside world (unless the filename begins with a dot character). The administrator can choose to allow only image, video, and audio files (i.e., not PDF) if desired.

N/A

N/A

Strapi 代码问题漏洞

Strapi是一套开源的内容管理系统（CMS）。 Strapi v4.1.12版本存在代码问题漏洞，该漏洞源于对文件上传无限制，攻击者利用该漏洞可以通过制作的文件执行任意代码。

N/A

N/A