CVE-2023-22621
published 2023-04-19CVE-2023-22621: Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote…
PriorityP182high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
76.83%
99.5th percentile
Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email template that bypasses the validation checks that should prevent code execution.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| strapi | plugin-email | >= 0 < 4.5.6 | 4.5.6 |
| strapi | plugin-users-permissions | >= 0 < 4.5.6 | 4.5.6 |
| strapi | strapi | >= 3.0.0 < 4.5.6 | 4.5.6 |
Detection & IOCsextracted from sources · hover to see the quote
url/api/auth/local/register
other%=*/}]}).output }` %>
- →SSTI exploit payload injected into the Strapi email template 'message' field — look for template expressions containing `%=` combined with JavaScript object/closure syntax (e.g., `*/}]}).output`) in admin panel email template configuration requests.
- →Exploitation triggers an outbound DNS interaction (OOB) upon a new user registration via /api/auth/local/register — monitor for unexpected DNS lookups originating from the Strapi server process after email template modification.
- →Successful SSTI exploitation returns HTTP 200 with a JSON body containing both 'ok' and 'true' fields — correlate admin-panel email template saves followed by registration requests returning this response pattern.
- →The exploit flow involves two stages: (1) an authenticated admin modifying the email_confirmation template with a malicious SSTI payload, then (2) triggering execution via a new user registration POST to /api/auth/local/register. ↗
- →Error response body containing 'ApplicationError' from /api/auth/local/register may indicate the SSTI payload was triggered but caused a server-side error — flag registrations that return ApplicationError in JSON alongside abnormal server-side activity.
- ·Vulnerability affects Strapi through version 4.5.5 only — instances running versions above 4.5.5 with patched template validation are not affected. ↗
- ·Exploitation requires prior authenticated access to the Strapi admin panel — unauthenticated attackers cannot directly inject the malicious email template payload. ↗
- ·The SSTI payload is placed specifically in the 'email_confirmation' template's 'message' field within the Strapi admin email settings — detection should focus on modifications to this specific template field.
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin
ghsa·2023-04-19
CVE-2023-22621 [CRITICAL] CWE-74 Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin
Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin
### Summary
Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server.
### Details
Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email template that bypasses the validation checks that should prevent code execution.
### IoC
Using just the request log files, the only IoC to search for is a `PUT` request to URL path `/users-permissions/email-templates`. This IoC only i
OSV
Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin
osv·2023-04-19
CVE-2023-22621 [CRITICAL] Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin
Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin
### Summary
Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server.
### Details
Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email template that bypasses the validation checks that should prevent code execution.
### IoC
Using just the request log files, the only IoC to search for is a `PUT` request to URL path `/users-permissions/email-templates`. This IoC only i
VulnCheck
strapi strapi Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
vulncheck·2023·CVSS 7.2
CVE-2023-22621 [HIGH] strapi strapi Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
strapi strapi Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email template that bypasses the validation checks that should prevent code execution.
Affected: strapi strapi
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://intel.breakglass.tech/post/strapi-plugin-events-c2
Exploit PoC: https://vulncheck.com/xdb/dcac39802eb9
No detection rules found.
Nuclei
Strapi Versions <=4.5.5 - SSTI to Remote Code Execution
nuclei·CVSS 7.2
CVE-2023-22621 [HIGH] Strapi Versions <=4.5.5 - SSTI to Remote Code Execution
Strapi Versions We heard that you lost your password. Sorry about that!\n\nBut dont worry! You can use the following link to reset your password:\n?code=\n\nThanks."
}
},
"email_confirmation": {
"display": "Email.template.email_confirmation",
"icon": "check-square",
"options": {
"from": {
"name": "Administration Panel",
"email": "[email protected]"
},
"response_email": "",
"object": "Account confirmation",
"message": "%=*/}]}).output }` %>\n\n?confirmation=\n\nThanks."
}
}
}
}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "ok","true")'
- 'contains(content_type, "application/json")'
condition: and
internal: true
- raw:
- |
POST /api/auth/local/register HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"email": "{{address}}",
"username": "{{randstr_1}
No writeups or analysis indexed.
https://github.com/strapi/strapi/releaseshttps://strapi.io/blog/security-disclosure-of-vulnerabilities-cvehttps://www.ghostccamm.com/blog/multi_strapi_vulns/https://github.com/strapi/strapi/releaseshttps://strapi.io/blog/security-disclosure-of-vulnerabilities-cvehttps://www.ghostccamm.com/blog/multi_strapi_vulns/
2023-04-19
Published
Exploited in the wild