Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-48218: Leaking fields if the request fields where empty or only fields selected where not populatable

The Strapi Protected Populate Plugin protects get endpoints from revealing too much information. Prior to version 1.3.4, users were able to bypass the field level security. Users who tried to populate something that they didn’t have access to could populate those fields anyway. This issue has been patched in version 1.3.4. There are no known workarounds.

CVE
Open in Source
#nodejs

Package

npm strapi-plugin-protected-populate (npm)

Description

Impact

people where able to bypass the field level security. This means fields that they where not allowed to populate could be populate anyway. If they tried to populate something that they don’t have access to.

Patches

This issue has been patched in 1.3.4

Workarounds

None

Related news

GHSA-6h67-934r-82g7: Bypass of field access control in strapi-plugin-protected-populate

### Impact Users are able to bypass the field level security. This means fields that they where not allowed to populate could be populated anyway even in the event that they tried to populate something that they don't have access to. ### Patches This issue has been patched in 1.3.4 ### Workarounds None

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE