CVE-2023-36472: Exposure of Sensitive Information to an Unauthorized Actor

September 15, 2023 (updated September 21, 2023)

Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The /content-manager/relations route does not remove private fields or ensure that they can’t be selected. This issue is fixed in version 4.11.7.

References

github.com/strapi/strapi/releases/tag/v4.11.7
github.com/strapi/strapi/security/advisories/GHSA-v8gg-4mq2-88q4
nvd.nist.gov/vuln/detail/CVE-2023-36472

Code Behaviors & Features

Detect and mitigate CVE-2023-36472 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →