npm package
@strapi/plugin-content-manager
pkg:npm/%40strapi/plugin-content-manager
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-29181 | — | < 4.19.1 | 4.19.1 | Jun 12, 2024 | Strapi is an open-source content management system. Prior to version 4.19.1, a super admin can create a collection where an item in the collection has an association to another collection. When this happens, another user with Author Role can see the list of associated items they | ||
| CVE-2023-37263 | — | < 4.12.1 | 4.12.1 | Sep 15, 2023 | Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permission to see, the field will s | ||
| CVE-2023-36472 | — | < 4.11.7 | 4.11.7 | Sep 15, 2023 | Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The `/content-manager/relations` route does not remove private fields or ensure th |
- CVE-2024-29181Jun 12, 2024affected < 4.19.1fixed 4.19.1
Strapi is an open-source content management system. Prior to version 4.19.1, a super admin can create a collection where an item in the collection has an association to another collection. When this happens, another user with Author Role can see the list of associated items they
- CVE-2023-37263Sep 15, 2023affected < 4.12.1fixed 4.12.1
Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permission to see, the field will s
- CVE-2023-36472Sep 15, 2023affected < 4.11.7fixed 4.11.7
Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The `/content-manager/relations` route does not remove private fields or ensure th