PT-2020-16756 · Strapi · Strapi

Lukáš Václavík

Published

2020-10-22

Updated

2021-05-10

CVE-2020-27664

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Strapi versions prior to 3.2.5

Description The issue concerns unwanted /proxy?url= functionality in the admin/src/containers/InputModalStepperProvider/index.js file. This functionality can be exploited, but details about real-world incidents or the estimated number of potentially affected devices are not provided.

Recommendations For versions prior to 3.2.5, update to version 3.2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the /proxy?url= endpoint until the update is applied.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2020-27664

GHSA-7FRV-9PHW-VRVR

Affected Products

Strapi

PT-2020-16756 · Strapi · Strapi

CVE-2020-27664

Weakness Enumeration

Related Identifiers

Affected Products

References · 6