Vulnerabilities

CVE-2019-19609 – Strapi / Strapi – OS command injection

September 8, 2021

CVE-2019-19609 is an OS command injection vulnerability impacting multiple versions of Strapi. An exploit was observed in open source and a link to an exploit was shared in the underground.

Summary:

CVE-2019-19609 is an OS command injection vulnerability impacting multiple versions of Strapi. An exploit was observed in open source and a link to an exploit was shared in the underground.

PoC Links(if available):

Exploit DB link –
https://www.exploit-db.com/exploits/50239

Known Counter Measures:

The vendor addressed the vulnerability in Strapi version 3.0.0-beta.17.8.

Links to patches(if available)

https://github.com/strapi/strapi/pull/4636

CVE-2019-19609 – Strapi / Strapi – OS command injection

Summary:

PoC Links(if available):

Known Counter Measures:

Links to patches(if available)

GoPhish Login Page Detected – 34[.]133[.]186[.]252:4444

GoPhish Login Page Detected – 195[.]133[.]13[.]135:4444

GoPhish Login Page Detected – 64[.]227[.]178[.]226:3333

GoPhish Login Page Detected – 51[.]159[.]6[.]180:3333

HackerOne Bug Bounty Disclosure: member-role-which-doesn-t-have-permission-to-send-message-can-send-by-executing-channel-commands-ramsakal

Summary:

PoC Links(if available):

Known Counter Measures:

Links to patches(if available)

You may have missed

GoPhish Login Page Detected – 34[.]133[.]186[.]252:4444

GoPhish Login Page Detected – 195[.]133[.]13[.]135:4444

GoPhish Login Page Detected – 64[.]227[.]178[.]226:3333

GoPhish Login Page Detected – 51[.]159[.]6[.]180:3333

HackerOne Bug Bounty Disclosure: member-role-which-doesn-t-have-permission-to-send-message-can-send-by-executing-channel-commands-ramsakal