CVE-2023-22621: 
JavaScript vulnerability analysis and mitigation

CVE-2023-22621 is a critical Server-Side Template Injection (SSTI) vulnerability discovered in Strapi versions through 4.5.5. The vulnerability allows authenticated users with access to the Strapi admin panel to inject malicious code into email templates that can execute arbitrary code on the server. The vulnerability was discovered in December 2022 and patched in version 4.5.6 (Strapi Blog, NVD).

The vulnerability exists in the email template system of the users-permissions plugin. An attacker can bypass the validation checks in the isValidEmailTemplate function by exploiting a flaw in the regex patterns used for template validation. The vulnerability has a CVSS v3.1 Base Score of 7.2 HIGH with vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

If exploited, the vulnerability allows attackers to execute arbitrary code on the server through crafted email templates. When chained with other vulnerabilities like CVE-2023-22894, it could lead to unauthenticated remote code execution on affected Strapi servers (Strapi Blog, GhostCcamm Blog).

The primary mitigation is to upgrade to Strapi version 4.5.6 or later. For users unable to upgrade immediately, patch-package patches were made available. Organizations using Strapi 3.x.x versions must upgrade to a patched 4.x.x version as version 3 reached end-of-life on December 31, 2022, and will not receive security updates (Strapi Blog).