CVE-2019-19609

critical-risk
Published 2019-12-05

The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.

Do I need to act?

!
81.1% chance of exploitation in next 30 days
EPSS score — higher than 19% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
50238
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.2/10 High
NETWORK / LOW complexity

Affected Products (20)

Affected Vendors

Strapi

References (8)

Exploit http://packetstormsecurity.com/files/163940/Strapi-3.0.0-beta.17.7-Remote-Code-E...
Exploit http://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Co...
Exploit https://bittherapy.net/post/strapi-framework-remote-code-execution/
Patch https://github.com/strapi/strapi/pull/4636
Exploit http://packetstormsecurity.com/files/163940/Strapi-3.0.0-beta.17.7-Remote-Code-E...
Exploit http://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Co...
Exploit https://bittherapy.net/post/strapi-framework-remote-code-execution/
Patch https://github.com/strapi/strapi/pull/4636
76
/ 100
critical-risk
Severity 26/34 · High
Exploitability 20/34 · Moderate
Exposure 30/34 · Critical