Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email template that bypasses the validation checks that should prevent code execution.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| @strapi/plugin-users-permissions(npm) | 0 | 4.5.6 | N/A |
| @strapi/plugin-email(npm) | 0 | 4.5.6 | N/A |
CVSS Metrics
