3 matches found
CVE-2023-36472 Strapi may leak sensitive user information, user reset password, tokens via content-manager views
Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The /content-manager/relations route does not remove private fields or ensure that they can't be...
CVE-2023-36472
CVE-2023-36472 affects Strapi (before 4.11.7). The /content-manager/relations route allows an actor with the configure view permission to access private fields, including user reset password tokens, enabling information disclosure. The issue is fixed in version 4.11.7. If exploiting, the impact i...
@beardeddudes/strapi-types (=0.1.0), @buit-public/provider-upload-local-custom (=4.11.4) +67 more potentially affected by CVE-2023-36472 via @strapi/utils (>=0.0.0-a230f29587d4a221c9c686ca4e467b3fb465631a <=4.11.6)
@strapi/utils NPM version =0.0.0-a230f29587d4a221c9c686ca4e467b3fb465631a, =4.11.3, =4.11.2, =1.0.0-beta, =1.0.0-alpha.0, =0.1.2, =0.0.0-00a3f69152eb918683ed5c05bfed9c45495c0a87, =0.0.0-experimental.0a47d9bbb261b49ab02af2597ede27b7bdb196f4,...