7.6 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
6.9 Medium
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
17.8%
@strapi/strapi and @strapi/plugin-users-permissions are vulnerable to Improper Access Control. The vulnerability is caused by a missing configuration/provision to control which custom fields are allowed to be set during registration while calling the /api/auth/local/register
route. This can lead to an attacker writing to custom fields even when they are set as private.
7.6 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
6.9 Medium
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
17.8%