Design/Logic Flaw

Strapi is an open-source headless content management system. Prior to version 4.10.8, it is possible to leak private fields if one is using the tnumber prefix. Knex query allows users to change the default prefix. For example, if someone changes the prefix to be the same as it was before or to...

CVE-2023-34235 Leaking sensitive user information still possible by filtering on private with prefix fields

Strapi is an open-source headless content management system. Prior to version 4.10.8, it is possible to leak private fields if one is using the tnumber prefix. Knex query allows users to change the default prefix. For example, if someone changes the prefix to be the same as it was before or to...

CVE-2023-34235

Strapi (pre-4.10.8) is vulnerable to information disclosure due to a Knex query that allows changing the default field prefix (t(number)). If the t-number prefix is used, private fields like password can be exposed, as t1.password is not protected. The issue can lead to filtering attacks affectin...

CVE-2023-34235 Leaking sensitive user information still possible by filtering on private with prefix fields

Strapi is an open-source headless content management system. Prior to version 4.10.8, it is possible to leak private fields if one is using the tnumber prefix. Knex query allows users to change the default prefix. For example, if someone changes the prefix to be the same as it was before or to...

GHSA-9XG4-3QFM-9W8F Leaking sensitive user information still possible by filtering on private with prefix fields

Summary Still able to leak private fields if using the tnumber prefix Details Knex query allows you to change there default prefix SqliteError: select distinct t0. from pages as t0 left join adminusers as t1 on t0.updatedbyid = t1.id where t1.password = 1 so if you change the prefix to the same a...

Leaking sensitive user information still possible by filtering on private with prefix fields

Summary Still able to leak private fields if using the tnumber prefix Details Knex query allows you to change there default prefix SqliteError: select distinct t0. from pages as t0 left join adminusers as t1 on t0.updatedbyid = t1.id where t1.password = 1 so if you change the prefix to the same a...

PT-2023-24759

Name of the Vulnerable Software and Affected Versions Strapi versions prior to 4.10.8 Description The issue allows for the leakage of private fields when using the tnumber prefix. This is possible because the Knex query allows users to change the default prefix. For example, changing the prefix t...

Strapi 信息泄露漏洞

Strapi is an open source content management system CMS. An information disclosure vulnerability exists in Strapi versions prior to 4.10.8, which stems from a Knex query that allows a user to change the default prefix, which may disclose private fields if the tnumber prefix is used...