CVE-2023-39345

2023-11-0619:15:09

CWE-287

[email protected]

web.nvd.nist.gov

strapi

headless cms

cve-2023-39345

unauthorized access

user record modification

security vulnerability

upgrade

7.6 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

0.0005 Low

EPSS

Percentile

18.0%

JSON

strapi is an open-source headless CMS. Versions prior to 4.13.1 did not properly restrict write access to fielded marked as private in the user registration endpoint. As such malicious users may be able to errantly modify their user records. This issue has been addressed in version 4.13.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Vulners

NVD

Node

strapistrapiRange4.0.0–4.13.1

VendorProductVersionCPE
strapistrapi*cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
strapi	strapi	*	cpe:2.3:a:strapi:strapi::::::::

CNA Affected

[
  {
    "vendor": "strapi",
    "product": "strapi",
    "versions": [
      {
        "version": ">= 4.0.0, < 4.13.1",
        "status": "affected"
      }
    ]
  }
]