Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Strapi core vulnerable to sensitive data exposure via CORS misconfiguration
Vulnerability Description
Strapi is an open source headless content management system. Strapi versions prior to 5.20.0 contain a CORS misconfiguration vulnerability in default installations. By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header without proper validation or whitelisting. This allows an attacker-controlled site to send credentialed requests to the Strapi backend. An attacker can exploit this by hosting a malicious site on a different origin (e.g., different port) and sending requests with credentials to the Strapi API. The vulnerability is fixed in version 5.20.0. No known workarounds exist.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Vulnerability Type
信息暴露
Vulnerability Title
Strapi 安全漏洞
Vulnerability Description
Strapi是法国strapi社区的一套开源的内容管理系统(CMS)。 Strapi 5.20.0之前版本存在安全漏洞,该漏洞源于默认安装中存在CORS配置错误,可能导致跨资源共享攻击。
CVSS Information
N/A
Vulnerability Type
N/A