Moderate severityNVD Advisory· Published Sep 15, 2023· Updated Sep 25, 2024
Strapi may leak sensitive user information, user reset password, tokens via content-manager views
CVE-2023-36472
Description
Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The /content-manager/relations route does not remove private fields or ensure that they can't be selected. This issue is fixed in version 4.11.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@strapi/plugin-content-managernpm | < 4.11.7 | 4.11.7 |
@strapi/adminnpm | < 4.11.7 | 4.11.7 |
@strapi/utilsnpm | < 4.11.7 | 4.11.7 |
Affected products
4- ghsa-coords3 versions
< 4.11.7+ 2 more
- (no CPE)range: < 4.11.7
- (no CPE)range: < 4.11.7
- (no CPE)range: < 4.11.7
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-v8gg-4mq2-88q4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-36472ghsaADVISORY
- github.com/strapi/strapi/releases/tag/v4.11.7ghsax_refsource_MISCWEB
- github.com/strapi/strapi/security/advisories/GHSA-v8gg-4mq2-88q4ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.