CVE-2022-29894 Strapi v3.x.x versions and earlier contain a stored XSS vulnerability in the file upload function.

This issue was fixed in version 3.0.1. The updated version 3.0.1 is now recommended for all Strapi customers. You can upgrade your installation following the upgrade guide. In case you are using an older version of Strapi, you should upgrade it as soon as possible. This updated version comes with the following improvements: Improved error messages in case of failed file uploads.

Simplified configuration of file upload form.

Added validation of file names and extensions.

Added visibility of file uploads for administrators.

Added warning for incorrect file names and extensions.

Added validation of file types.

Added visibility of file types for administrators.

Added an option to disable file uploads for administrators.

Added validation of file types.

Added visibility of file types for administrators.

Added an option to disable file uploads for administrators. Improved error messages in case of failed file uploads.

Strapi 3.0.0: What’s new?

Strapi 3.0.0 was released on September 6, 2018 and introduces many new features and improvements, as well as security updates to prevent possible security vulnerabilities. The following are some of the key highlights of the release:

What is Strapi?

Strapi is a PHP framework that helps you create modern web applications. It is a complete solution for front-end and back-end development.

Timeline

Published on: 06/13/2022 05:15:00 UTC
Last modified on: 06/22/2022 12:12:00 UTC

References