CVE-2023-36472

medium

Description

Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The `/content-manager/relations` route does not remove private fields or ensure that they can't be selected. This issue is fixed in version 4.11.7.

References

https://github.com/strapi/strapi/security/advisories/GHSA-v8gg-4mq2-88q4

https://github.com/strapi/strapi/releases/tag/v4.11.7

Details

Source: Mitre, NVD

Published: 2023-09-15

Updated: 2023-09-21

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N