CVE-2023-22621

Name of the Vulnerable Software and Affected Versions Strapi versions 4.5.5 and earlier

Description Strapi allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email template that bypasses the validation checks that should prevent code execution. The attacker can modify the email templates, and suspicious code can be identified by looking for unrecognized JavaScript code within the <%STUFF HERE%> blocks in the templates.

Recommendations For Strapi versions 4.5.5 and earlier, update to a version later than 4.5.5 to resolve the issue. As a temporary workaround, consider manually reviewing email templates on the Strapi server and backups of the database to identify any suspicious code. Restrict access to the email template modification feature in the Strapi admin panel to minimize the risk of exploitation.