CVE-2023-22621 — AI Deep Analysis Summary

🚨 **Essence**: Strapi CMS (v4.5.5-) suffers from **SSTI** (Server-Side Template Injection) via email templates.…

🛡️ **Root Cause**: The `sendTemplatedEmail` function uses the **Lodash** template engine. <br>⚠️ **Flaw**: Lodash evaluates JavaScript code within templates.…

📦 **Affected**: **Strapi** Content Management System. <br>🔢 **Versions**: All versions **<= 4.5.5**. <br>📅 **Published**: April 19, 2023. <br>👥 **Vendor**: Strapi (Open Source).

💻 **Attacker Actions**: <br>1. Inject crafted payloads into email templates. <br>2. **Bypass** existing validation checks. <br>3. Execute **arbitrary code** on the server.…

🔑 **Threshold**: **Medium/High**. <br>🚪 **Auth Required**: Yes. The attacker needs **access to the Strapi admin panel**. <br>🌐 **Remote**: Yes, but requires authentication first. Not fully unauthenticated.

🔓 **Public Exp?**: **YES**. <br>📂 **PoC Available**: <br>- GitHub: `sofianeelhor/CVE-2023-22621-POC` <br>- Nuclei Template: `projectdiscovery/nuclei-templates` <br>🔥 **Wild Exploitation**: Possible for those with admin a…

🔍 **Self-Check**: <br>1. Check Strapi version (<= 4.5.5). <br>2. Scan for **SSTI** in email template fields. <br>3. Use Nuclei templates for CVE-2023-22621. <br>4.…

🩹 **Fixed?**: **YES**. <br>📢 **Official Disclosure**: Strapi released security disclosures and patches. <br>✅ **Action**: Upgrade to version **> 4.5.5** immediately. Check `strapi/strapi/releases`.

🚧 **No Patch?**: <br>1. **Disable** email plugin if not needed. <br>2. **Restrict** admin panel access strictly (IP whitelisting). <br>3. **Sanitize** all inputs before they reach email templates. <br>4.…

🚨 **Urgency**: **HIGH**. <br>⚡ **Priority**: Patch immediately. <br>📉 **Risk**: RCE is a critical severity. Even with auth requirement, admin compromise leads to total server takeover. Do not ignore.