Command Injection in strapi

Published: Sep 4, 2020
Updated: Apr 14, 2023
GHSA: <a href="https://github.com/advisories/GHSA-9p2w-rmx4-9mw7" target="_blank" rel="noopener"> GHSA-9p2w-rmx4-9mw7
Severity: High
Exploit:

Versions of strapi before 3.0.0-beta.17.8 are vulnerable to Command Injection. The package fails to sanitize plugin names in the /admin/plugins/install/ route. This may allow an authenticated attacker with admin privileges to run arbitrary commands in the server.