{"id":"GHSA-7frv-9phw-vrvr","summary":"Authorization bypass in Strapi","details":"`admin/src/containers/InputModalStepperProvider/index.js` in Strapi before 3.2.5 has unwanted `/proxy?url=` functionality.","aliases":["CVE-2020-27664"],"modified":"2023-11-01T04:52:50.214458Z","published":"2021-05-10T18:43:59Z","database_specific":{"cwe_ids":["CWE-862"],"github_reviewed":true,"nvd_published_at":"2020-10-22T19:15:00Z","github_reviewed_at":"2021-04-21T18:06:14Z","severity":"CRITICAL"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-27664"},{"type":"WEB","url":"https://github.com/strapi/strapi/pull/8442"},{"type":"WEB","url":"https://github.com/strapi/strapi/releases/tag/v3.2.5"}],"affected":[{"package":{"name":"strapi","ecosystem":"npm","purl":"pkg:npm/strapi"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"3.2.5"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-7frv-9phw-vrvr/GHSA-7frv-9phw-vrvr.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}