Security Advisory

CVE-2023-36472

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2023-09-15 18:54:34

Last updated 2024-09-25 15:00:46

Assigner GitHub_M

State PUBLISHED

Description

Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The `/content-manager/relations` route does not remove private fields or ensure that they cant be selected. This issue is fixed in version 4.11.7.

← Browse all CVEs View on cve.org ↗