CVE-2024-29181

Опубликовано: 12 июн. 2024

Источник: nvd

CVSS3: 2.3

CVSS3: 3.5

EPSS Низкий

Описание

Strapi is an open-source content management system. Prior to version 4.19.1, a super admin can create a collection where an item in the collection has an association to another collection. When this happens, another user with Author Role can see the list of associated items they did not create. They should see nothing but their own items they created not all items ever created. Users should upgrade @strapi/plugin-content-manager to version 4.19.1 to receive a patch.

Ссылки

https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6
Patch
https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m
Exploit
Vendor Advisory
https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6
Patch
https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*

Версия до 4.19.1 (исключая)

EPSS

Процентиль: 62%

0.00433

Низкий

2.3 Low

CVSS3

3.5 Low

CVSS3

Дефекты

CWE-639

Связанные уязвимости

GHSA-6j89-frxc-q26m

CVSS3: 2.3

github

больше 1 года назад

@strapi/plugin-content-manager leaks data via relations via the Admin Panel

EPSS

Процентиль: 62%

0.00433

Низкий

2.3 Low

CVSS3

3.5 Low

CVSS3

Дефекты

CWE-639