Vulnerability Database
296,147
Total vulnerabilities in the database
CVE-2019-19609
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
| Software | From | Fixed in |
|---|---|---|
| strapi / strapi | - | 1.6.4.x |
| strapi / strapi | 3.0.0-alpha4.8 | 3.0.0-alpha4.8.x |
| strapi / strapi | 3.0.0-alpha5.3 | 3.0.0-alpha5.3.x |
| strapi / strapi | 3.0.0-alpha5.5 | 3.0.0-alpha5.5.x |
| strapi / strapi | 3.0.0-alpha6.3 | 3.0.0-alpha6.3.x |
| strapi / strapi | 3.0.0-alpha6.4 | 3.0.0-alpha6.4.x |
| strapi / strapi | 3.0.0-alpha6.7 | 3.0.0-alpha6.7.x |
| strapi / strapi | 3.0.0-alpha7.2 | 3.0.0-alpha7.2.x |
| strapi / strapi | 3.0.0-alpha7.3 | 3.0.0-alpha7.3.x |
| strapi / strapi | 3.0.0-alpha8 | 3.0.0-alpha8.x |
| strapi / strapi | 3.0.0-alpha8.3 | 3.0.0-alpha8.3.x |
| strapi / strapi | 3.0.0-alpha9 | 3.0.0-alpha9.x |
| strapi / strapi | 3.0.0-alpha9.1 | 3.0.0-alpha9.1.x |
| strapi / strapi | 3.0.0-alpha9.2 | 3.0.0-alpha9.2.x |
| strapi / strapi | 3.0.0-alpha10.1 | 3.0.0-alpha10.1.x |
| strapi / strapi | 3.0.0-alpha10.2 | 3.0.0-alpha10.2.x |
| strapi / strapi | 3.0.0-alpha10.3 | 3.0.0-alpha10.3.x |
| strapi / strapi | 3.0.0-alpha11 | 3.0.0-alpha11.x |
| strapi / strapi | 3.0.0-alpha11.1 | 3.0.0-alpha11.1.x |
| strapi / strapi | 3.0.0-alpha11.2 | 3.0.0-alpha11.2.x |
| strapi / strapi | 3.0.0-alpha11.3 | 3.0.0-alpha11.3.x |
| strapi / strapi | 3.0.0-alpha12 | 3.0.0-alpha12.x |
| strapi / strapi | 3.0.0-alpha12.1 | 3.0.0-alpha12.1.x |
| strapi / strapi | 3.0.0-alpha12.1.3 | 3.0.0-alpha12.1.3.x |
| strapi / strapi | 3.0.0-alpha12.2 | 3.0.0-alpha12.2.x |
| strapi / strapi | 3.0.0-alpha12.3 | 3.0.0-alpha12.3.x |
| strapi / strapi | 3.0.0-alpha12.4 | 3.0.0-alpha12.4.x |
| strapi / strapi | 3.0.0-alpha12.5 | 3.0.0-alpha12.5.x |
| strapi / strapi | 3.0.0-alpha12.6 | 3.0.0-alpha12.6.x |
| strapi / strapi | 3.0.0-alpha12.7 | 3.0.0-alpha12.7.x |
| strapi / strapi | 3.0.0-alpha12.7.1 | 3.0.0-alpha12.7.1.x |
| strapi / strapi | 3.0.0-alpha13 | 3.0.0-alpha13.x |
| strapi / strapi | 3.0.0-alpha13.0.1 | 3.0.0-alpha13.0.1.x |
| strapi / strapi | 3.0.0-alpha13.1 | 3.0.0-alpha13.1.x |
| strapi / strapi | 3.0.0-alpha14 | 3.0.0-alpha14.x |
| strapi / strapi | 3.0.0-alpha14.1 | 3.0.0-alpha14.1.x |
| strapi / strapi | 3.0.0-alpha14.1.1 | 3.0.0-alpha14.1.1.x |
| strapi / strapi | 3.0.0-alpha14.2 | 3.0.0-alpha14.2.x |
| strapi / strapi | 3.0.0-alpha14.3 | 3.0.0-alpha14.3.x |
| strapi / strapi | 3.0.0-alpha14.4.0 | 3.0.0-alpha14.4.0.x |
| strapi / strapi | 3.0.0-alpha14.5 | 3.0.0-alpha14.5.x |
| strapi / strapi | 3.0.0-alpha15 | 3.0.0-alpha15.x |
| strapi / strapi | 3.0.0-alpha16 | 3.0.0-alpha16.x |
| strapi / strapi | 3.0.0-alpha17 | 3.0.0-alpha17.x |
| strapi / strapi | 3.0.0-alpha18 | 3.0.0-alpha18.x |
| strapi / strapi | 3.0.0-alpha19 | 3.0.0-alpha19.x |
| strapi / strapi | 3.0.0-alpha20 | 3.0.0-alpha20.x |
| strapi / strapi | 3.0.0-alpha21 | 3.0.0-alpha21.x |
| strapi / strapi | 3.0.0-alpha22 | 3.0.0-alpha22.x |
| strapi / strapi | 3.0.0-alpha23 | 3.0.0-alpha23.x |
| strapi / strapi | 3.0.0-alpha23.1 | 3.0.0-alpha23.1.x |
| strapi / strapi | 3.0.0-alpha24 | 3.0.0-alpha24.x |
| strapi / strapi | 3.0.0-alpha24.1 | 3.0.0-alpha24.1.x |
| strapi / strapi | 3.0.0-alpha25 | 3.0.0-alpha25.x |
| strapi / strapi | 3.0.0-alpha25.1 | 3.0.0-alpha25.1.x |
| strapi / strapi | 3.0.0-alpha25.2 | 3.0.0-alpha25.2.x |
| strapi / strapi | 3.0.0-alpha26 | 3.0.0-alpha26.x |
| strapi / strapi | 3.0.0-alpha26.1 | 3.0.0-alpha26.1.x |
| strapi / strapi | 3.0.0-beta0 | 3.0.0-beta0.x |
| strapi / strapi | 3.0.0-beta1 | 3.0.0-beta1.x |
| strapi / strapi | 3.0.0-beta2 | 3.0.0-beta2.x |
| strapi / strapi | 3.0.0-beta3 | 3.0.0-beta3.x |
| strapi / strapi | 3.0.0-beta4 | 3.0.0-beta4.x |
| strapi / strapi | 3.0.0-beta5 | 3.0.0-beta5.x |
| strapi / strapi | 3.0.0-beta6 | 3.0.0-beta6.x |
| strapi / strapi | 3.0.0-beta7 | 3.0.0-beta7.x |
| strapi / strapi | 3.0.0-beta8 | 3.0.0-beta8.x |
| strapi / strapi | 3.0.0-beta9 | 3.0.0-beta9.x |
| strapi / strapi | 3.0.0-beta10 | 3.0.0-beta10.x |
| strapi / strapi | 3.0.0-beta11 | 3.0.0-beta11.x |
| strapi / strapi | 3.0.0-beta12 | 3.0.0-beta12.x |
| strapi / strapi | 3.0.0-beta13 | 3.0.0-beta13.x |
| strapi / strapi | 3.0.0-beta14 | 3.0.0-beta14.x |
| strapi / strapi | 3.0.0-beta15 | 3.0.0-beta15.x |
| strapi / strapi | 3.0.0-beta16 | 3.0.0-beta16.x |
| strapi / strapi | 3.0.0-beta16.1 | 3.0.0-beta16.1.x |
| strapi / strapi | 3.0.0-beta16.2 | 3.0.0-beta16.2.x |
| strapi / strapi | 3.0.0-beta16.3 | 3.0.0-beta16.3.x |
| strapi / strapi | 3.0.0-beta16.4 | 3.0.0-beta16.4.x |
| strapi / strapi | 3.0.0-beta16.5 | 3.0.0-beta16.5.x |
| strapi / strapi | 3.0.0-beta16.6 | 3.0.0-beta16.6.x |
| strapi / strapi | 3.0.0-beta16.7 | 3.0.0-beta16.7.x |
| strapi / strapi | 3.0.0-beta16.8 | 3.0.0-beta16.8.x |
| strapi / strapi | 3.0.0-beta17 | 3.0.0-beta17.x |
| strapi / strapi | 3.0.0-beta17.1 | 3.0.0-beta17.1.x |
| strapi / strapi | 3.0.0-beta17.2 | 3.0.0-beta17.2.x |
| strapi / strapi | 3.0.0-beta17.3 | 3.0.0-beta17.3.x |
| strapi / strapi | 3.0.0-beta17.4 | 3.0.0-beta17.4.x |
| strapi / strapi | 3.0.0-beta17.5 | 3.0.0-beta17.5.x |
| strapi / strapi | 3.0.0-beta17.6 | 3.0.0-beta17.6.x |
| strapi / strapi | 3.0.0-beta17.7 | 3.0.0-beta17.7.x |
| strapi / strapi | 3.0.0-alpha4 | 3.0.0-alpha4.x |
| strapi / strapi | 3.0.0-alpha26.2 | 3.0.0-alpha26.2.x |
strapi
|
- | 3.0.0-beta.17.8 |
- http://packetstormsecurity.com/files/163940/Strapi-3.0.0-beta.17.7-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.html
- https://bittherapy.net/post/strapi-framework-remote-code-execution/
- https://github.com/strapi/strapi/pull/4636