VYPR
Moderate severityNVD Advisory· Published Sep 15, 2023· Updated Sep 25, 2024

Strapi may leak sensitive user information, user reset password, tokens via content-manager views

CVE-2023-36472

Description

Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The /content-manager/relations route does not remove private fields or ensure that they can't be selected. This issue is fixed in version 4.11.7.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@strapi/plugin-content-managernpm
< 4.11.74.11.7
@strapi/adminnpm
< 4.11.74.11.7
@strapi/utilsnpm
< 4.11.74.11.7

Affected products

4

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.