[CVE-2022–32114] Strapi v4.1.12 — Unrestricted File Upload
Vulnerability Explanation:
Strapi v4.1.12 has an Unrestricted File Upload vulnerability that allows an attacker to successfully upload files containing malicious content to the system and execute.
Tested on:
- Strapi Version 4.1.12
- Google Chrome Version 102.0.5005.61 (Official Build) (64-bit)
Payload :
https://github.com/bypazs/GrimTheRipper/blob/main/GrimTheRipperTeam.pdf
Steps to attack:
- Log in with a user that has permission to upload files.
2. Click on the “Media Library” menu, then click on “+ Add new assets”.
3. Click on the “Browse files: button.
4. Then select the prepared file containing malicious content.
5. Then click on the “Upload 1 asset to the library” button to upload the file to the system.
6. Click edit in the corner of the file.
7. Click copy link.
8. Paste the link to a new tab, it will show that the payload XSS was executed.
Author:
Grim The Ripper Team by SOSECURE Thailand