CVE-2023-39345

Опубликовано: 06 нояб. 2023

Источник: nvd

CVSS3: 7.6

CVSS3: 7.5

EPSS Низкий

Описание

strapi is an open-source headless CMS. Versions prior to 4.13.1 did not properly restrict write access to fielded marked as private in the user registration endpoint. As such malicious users may be able to errantly modify their user records. This issue has been addressed in version 4.13.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Ссылки

https://github.com/strapi/strapi/security/advisories/GHSA-gc7p-j5xm-xxh2
Exploit
Vendor Advisory
https://github.com/strapi/strapi/security/advisories/GHSA-gc7p-j5xm-xxh2
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*

Версия от 4.0.0 (включая) до 4.13.1 (исключая)

EPSS

Процентиль: 23%

0.00079

Низкий

7.6 High

CVSS3

7.5 High

CVSS3

Дефекты

CWE-287

Связанные уязвимости

GHSA-gc7p-j5xm-xxh2

CVSS3: 7.6

github

больше 2 лет назад

Unauthorized Access to Private Fields in User Registration API

EPSS

Процентиль: 23%

0.00079

Низкий

7.6 High

CVSS3

7.5 High

CVSS3

Дефекты

CWE-287