CVE-2022-29894: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

June 13, 2022 (updated June 22, 2022)

Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege.

References

github.com/strapi/strapi
jvn.jp/en/jp/JVN44550983/index.html
nvd.nist.gov/vuln/detail/CVE-2022-29894
strapi.io/

Detect and mitigate CVE-2022-29894 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →