CVE-2023-36472

Published September 15th, 2023

View on NVD ↗

CVSS v3

5.8

MEDIUM

CVSS v2

N/A

Affected

PROJECT

Description

Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The `/content-manager/relations` route does not remove private fields or ensure that they can't be selected. This issue is fixed in version 4.11.7.

strapi/strapi

🚀 Strapi is the leading open-source headless CMS. It’s 100% JavaScript/TypeScript, fully customizable, and developer-first.

GitHub

72.3K