CVE-2023-22621

Description

Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email template that bypasses the validation checks that should prevent code execution.

NVD
Severity: HIGH
CVE ID: CVE-2023-22621
CVSS Score: 7.2
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Refrence: NVD MITRE

Proof Of Concept

sofianeelhor

CVE-2023-22621: SSTI to RCE by Exploiting Email Templates affecting Strapi Versions <=4.5.5

Refrence: GitHub

Description​

Proof Of Concept​

Description

Proof Of Concept