High severityNVD Advisory· Published Nov 6, 2023· Updated Sep 4, 2024
Unauthorized Access to Private Fields in User Registration API in strapi
CVE-2023-39345
Description
strapi is an open-source headless CMS. Versions prior to 4.13.1 did not properly restrict write access to fielded marked as private in the user registration endpoint. As such malicious users may be able to errantly modify their user records. This issue has been addressed in version 4.13.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@strapi/plugin-users-permissionsnpm | >= 4.0.0, < 4.13.1 | 4.13.1 |
@strapi/strapinpm | >= 4.0.0, < 4.13.1 | 4.13.1 |
Affected products
3- ghsa-coords2 versions
>= 4.0.0, < 4.13.1+ 1 more
- (no CPE)range: >= 4.0.0, < 4.13.1
- (no CPE)range: >= 4.0.0, < 4.13.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-gc7p-j5xm-xxh2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-39345ghsaADVISORY
- github.com/strapi/strapi/security/advisories/GHSA-gc7p-j5xm-xxh2ghsax_refsource_CONFIRMWEB
- strapi.io/blog/security-disclosure-of-vulnerabilities-sept-2023ghsaWEB
News mentions
0No linked articles in our index yet.