[CVE-2022–32114] Strapi v4.1.12 — Unrestricted File Upload

Vulnerability Explanation:

Strapi v4.1.12 has an Unrestricted File Upload vulnerability that allows an attacker to successfully upload files containing malicious content to the system and execute.

Tested on:

  1. Strapi Version 4.1.12
  2. Google Chrome Version 102.0.5005.61 (Official Build) (64-bit)

Payload :

https://github.com/bypazs/GrimTheRipper/blob/main/GrimTheRipperTeam.pdf

Steps to attack:

  1. Log in with a user that has permission to upload files.

2. Click on the “Media Library” menu, then click on “+ Add new assets”.

3. Click on the “Browse files: button.

4. Then select the prepared file containing malicious content.

5. Then click on the “Upload 1 asset to the library” button to upload the file to the system.

6. Click edit in the corner of the file.

7. Click copy link.

8. Paste the link to a new tab, it will show that the payload XSS was executed.

Author:

Grim The Ripper Team by SOSECURE Thailand

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
GrimTheRipper

GrimTheRipper

You get the best out of others when you give the best of yourself