CMS Strapi Issues Security Disclosure of Vulnerabilities

Strapi, the open-source headless Content Management System (CMS) issued a security disclosure of vulnerabilities alerting users to upgrade their Strapi version 3.x.x as it expired on December 31, 2022. The platform cautioned the users to immediately get updated to the 4.x.x version if their current version is 3.x.x or below.

Subsequent to the security alert, the Chinese reporter Collin Wu, invited the attention of the Twitter community by posting on his official page, Wu Blockchain, creating awareness of the issue:

CMS Strapi issued a security alert that attackers can use known vulnerabilities to take over Admin accounts or RCE to take over server permissions. There are a large number of projects in the cryptocurrency industry using this product, please upgrade immediately.

— Wu Blockchain (@WuBlockchain) April 23, 2023

Notably, the reporter added that the vulnerability could be misused by the attackers to take over the Admin accounts; he suggested that it would be better to upgrade as soon as possible as there exists a “large number of projects in the cryptocurrency industry” depending on the project.

Significantly, Strapi proclaimed that the researcher reported on December 29, 2022, that the server-side template injection (SSTI) vulnerability has been impacting their users-permission plugin’s email template system.

In detail, the SSTI vulnerability facilitated the modification of the default email template, executing “malicious code” through remote code execution (RCE).

It is noteworthy that Strapi wasn’t interested in elaborating on the in-depth details of the vulnerabilities, instead, the platform wanted to “communicate on the IoCs (indicators of compromise)”, thereby directing the users to analyze whether they have been affected.

Further, Strapi notified that the vulnerability is likely to affect all the Strapi v3 and Strapi v4 versions prior to v4.5.6, and advised the users to upgrade beyond v4.8.0.

Source