CVE-2022-32114

Name of the Vulnerable Software and Affected Versions Strapi version 4.1.12

Description An unrestricted file upload vulnerability in the Add New Assets function allows attackers to conduct XSS attacks via a crafted PDF file. The project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be able to upload PDF files containing JavaScript, and that all files in a public assets folder are accessible to the outside world (unless the filename begins with a dot character). The administrator can choose to allow only image, video, and audio files (i.e., not PDF) if desired. Attackers can also execute arbitrary code via a crafted file. After an authenticated attacker uploads a file containing a malicious URL, a victim copies and pastes the malicious URL into a new tab to receive the XSS payload.

Recommendations As a temporary workaround, consider disabling the file upload functionality in the Add New Assets function until a patch is available. Restrict access to the public assets folder to minimize the risk of exploitation. The administrator can choose to allow only image, video, and audio files (i.e., not PDF) to reduce the risk of arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.