[QUESTION]: Why is this not on the Strapi Marketplace anymore?
BayBreezy opened this issue · 10 comments
Just a question.
This plugin has a critical vulnerability that the developer has not been responding to any communication. It is related to the multiple critical vulnerabilities I discovered in Strapi (full disclosure of the vulnerabilities https://www.ghostccamm.com/blog/multi_strapi_vulns/). Also, no updating to the latest version of Strapi will not fix the vulnerability in this plugin.
I strongly advise stop using this plugin. I have tried contacting the developer multiple times and so has the Strapi team.
Ok. I will read the article soon.
Maybe we should fork it and keep an up to date version going ? Gonna check the license on this as well
Yup, if you do fork it I recommend reading the email template vulnerability. This plugin is affected by the same issue since the code was copied and pasted from Strapi. Instead of doing the fix that Strapi did, I recommend using a logic-less template engine such as Mustache.js or micromustache.
This will remove the "feature" of running inline JavaScript code within email templates, because that is the vulnerability. It does require authentication to exploit, but because of the other critical vulnerability that I reported any attacker can hijack an administrator account (fixed in >=4.8.0).
Hi everyone, I apologize for the delay as I have been swamped with work. I was hoping for some assistance, but at this point, I must admit I'm skeptical. This plugin has been downloaded an average of 1,282 times per week for years, and yet no one has ever offered me a single beer :-D
Nevertheless, I will continue to make every effort to update this plugin. Of course, I welcome any pull requests (PRs) from the community!
Dang... I can get you a beer.. this plugin is a major part of why I use strapi to this day.. I did not start using v4 u til this plugin was ready for it. It helps me with emails sent from the server as well as PDF docs that I generate and return to the client. I would love to see it listed on the market again
This plugin is a real marvel. For me the best plugin of all those I use for my projects. I hope it will always be maintained, because it is truly extraordinary!
I still find that the support for the mobile version is not at all developed. I don't understand how the mobile version can be supported on mobiles. All the mobiles on which I test display the desktop version...
Hi everyone, I apologize for the delay as I have been swamped with work. I was hoping for some assistance, but at this point, I must admit I'm skeptical. This plugin has been downloaded an average of 1,282 times per week for years, and yet no one has ever offered me a single beer :-D
Nevertheless, I will continue to make every effort to update this plugin. Of course, I welcome any pull requests (PRs) from the community!
I completely understand being swamped with work and understand the delay. If you want me to assist with validating any patches and/or explain the vulnerability in more detail than here you can DM me on Twitter https://twitter.com/GhostCcamm.
Hey @alexzaganelli , I know you are busy.
Can an ETA on when this plugin can be updated be provided? I really don't want it to die :(.
If I am to help with the code, I would have to go learn React which will take me a few months.
Even if the time to get it up to Strapi's standards will be at the end of the year, I just want to know.
Hello @alexzaganelli i share the question with @BayBreezy maybe we can offer our support by asking in the strapi forum if there will be able to fixx it so it can get up and running in the strapi marketplace, let us know if we can assist you anyways
Hey @Ccamm, would like to take a look into this issue since I have some free time after work and maybe you can assist with validating etc. If you're up for, please DM me on https://twitter.com/creazy231 since I can't DM you first. #twitterblue