An unrestricted file upload vulnerability in the Add New Assets function of Strapi v4.1.12 allows attackers to execute arbitrary code via a crafted file
- After uploading a file containing malicious content, when the user opens the link to the file, it will execute.
https://github.com/bypazs/GrimTheRipper/blob/main/GrimTheRipperTeam.pdf
- Strapi Version 4.1.12
- Google Chrome Version 102.0.5005.61 (Official Build) (64-bit)
- On the Media Library page, it is allowed to upload files containing malicious content to the system.
- Log in with a user that has permission to upload files.
- Click on the "Media Library" menu, then click on "+ Add new assets".
- Click on the "Browse files: button, and then select the prepared file containing malicious content.
- Then click on the "Upload 1 asset to the library" button to upload the file to the system.
- Click edit in the corner of the file and click copy link.
- Paste the link to a new tab, it will show that the payload XSS was executed.
Grim The Ripper Team by SOSECURE Thailand
- 2022–05–29: Vulnerability discovered.
- 2022–05–29: Vulnerability reported to the MITRE corporation.
- 2022–07–14: CVE has been reserved.
- 2022–05–29: Public disclosure of the vulnerability.
Reference: