GitHub_MCVELIST:CVE-2023-37263CVE-2023-37263 Strapi's field level permissions not being respected in relationship title
6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
0.0004 Low
EPSS
Percentile
14.0%
Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don’t have permission to see, the field will still be visible. Version 4.12.1 has a fix for this issue.
CNA Affected
[
{
"vendor": "strapi",
"product": "strapi",
"versions": [
{
"version": "< 4.12.1",
"status": "affected"
}
]
}
]Related
6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
0.0004 Low
EPSS
Percentile
14.0%