strapi@3.6.10 vulnerabilities

An open source headless CMS solution to create and manage your own API. It provides a powerful dashboard and features to make your life easier. Databases supported: MongoDB, MySQL, MariaDB, PostgreSQL, SQLite

Known vulnerabilities in the strapi package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Vulnerability	Vulnerable Version
L Cross-site Scripting (XSS) strapi is a HTTP layer sits on top of Koa. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via file upload module, which allows attackers with `admin` permissions to exploit this vulnerability via a crafted file. How to fix Cross-site Scripting (XSS)? There is no fixed version for `strapi`.	*
L Cross-site Scripting (XSS) strapi is a HTTP layer sits on top of Koa. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to insufficient sanitization of user-supplied data in the file `upload` function. This vulnerability is exploitable when the victim has administrative privileges. Note: Users of `strapi` should upgrade to `@strapi/strapi`, as `strapi` is EOL. How to fix Cross-site Scripting (XSS)? There is no fixed version for `strapi`.	*
M Improper Authentication strapi is a HTTP layer sits on top of Koa. Affected versions of this package are vulnerable to Improper Authentication. If an attacker is able to access a valid admin session, they can then change the account's password without being required to input the current password. How to fix Improper Authentication? A fix was pushed into the `master` branch but not yet published.	*