Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-36472: Release v4.11.7 · strapi/strapi

Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The /content-manager/relations route does not remove private fields or ensure that they can’t be selected. This issue is fixed in version 4.11.7.

CVE
Open in Source
#auth

Skipping v4.11.6 due to publication errors

🔥 Bug fix

  • [core:admin] Add cellFormatter support (#17347) @markkaylor
  • [core:admin] Fix: Remove @strapi/babel-plugin-switch-ee-ce again (#17353) @gu-stav
  • [core:content-manager] fix(i18n): entity locale actions were aimed at default locale (#17335) @joshuaellis
  • [core:content-type-builder] add translation for aria-label (#17271) @nitinmadelyn
  • [core:data-transfer] Transfer assets to and from external providers (#17105) @Bassel17
  • [core:helper-plugin] fix(helper-plugin): useRBAC needs to recalc if the userPermissions argument changes (#17333) @joshuaellis
  • [core:strapi] Return routes once only (#17290) @alexandrebodin
  • [plugin:i18n] Do not try to add API endpoint for content type plugins using i18N (#17270) @alexandrebodin

⚙️ Chore

  • [core:admin] Chore: Drop babel ee_else_ce plugin and babel from @strapi/admin (#17206) @gu-stav
  • [core:admin] refactor: remove simple menu v1 (#17214) @joshuaellis
  • [dependencies] chore: update ds to 1.8.2 (#17265) @joshuaellis
  • [dependencies] chore(deps-dev): bump the eslint group with 2 updates (#17267) @dependabot
  • [dependencies] chore(deps-dev): bump the eslint group with 2 updates (#17326) @dependabot
  • [dependencies] chore(deps-dev): bump nx from 16.4.0 to 16.5.2 (#17329) @dependabot

📚 Update and Migration Guides

  • General update guide can be found here
  • Migration guides can be found here 📚

Related news

GHSA-v8gg-4mq2-88q4: Strapi may leak sensitive user information, user reset password, tokens via content-manager views

### Summary I can get access to user reset password tokens if I have the configure view permissions ![b37a6fd9eae06027e7d91266f1908a3d](https://user-images.githubusercontent.com/34578426/246782921-fbc007d3-ffec-45de-a1f1-a4287cd507ac.png) ![6c1da5b3bfbb3bca97c8d064be0ecb05](https://user-images.githubusercontent.com/34578426/246783044-7d716dde-6f27-4d01-9521-42720c6ce92e.gif) ### Details /content-manager/relations route does not remove private fields or ensure that they can't be selected ### PoC Install fresh strapi instance start up strapi and create an account create a new content-type give the content-type a relation with admin users and save go to Admin panel roles Author and then plugins. Enable for content-manager collection types the configure view In the collection time now only give them access to the collection you created for this. Create a new admin user account with the Author role Log out and request a password reset for the main admin user. Login on the newly created a...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE