Headline
CVE-2022-31367: Release v4.1.10 · strapi/strapi
Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses.
🔥 Bug fix
- [core:admin] [Fix] Guided tour skipped local storage (#13227) @ronronscelestes
- [core:content-manager] SingleTypeFormWrapper: Display custom error messages (#13257) @gu-stav
- [core:strapi] ML: Apply fallback mime-type if none is set (#12881) @gu-stav
- [core:strapi] Fix deployment on GCP by generating .gitkeep for db migrations (#13275) @derrickmehaffy
- [core:strapi] fix: hook getter spread make handlers invalid (#13277) @alexandrebodin
- [core:upload] Upgrade nodemailer (#13207) @derrickmehaffy
- [plugin:i18n] Fix bulk delete for non-default locales (#12850) @petersg83
- [plugin:sentry] Upgrade Sentry version (both for plugin and internal) to latest (#13168) @derrickmehaffy
- [plugin:users-permissions] Fix unable to populate User in Users-Permissions (#11960) @iicdii
💅 Enhancement
- [core:admin] Added new ru translations for admin content (#13201) @MaksZhukov
- [core:admin] [Enhancement] Updated homepage logo (#13219) @ronronscelestes
- [core:admin] [Enh] DS v2 components (#13226) @ronronscelestes
- [core:admin] [Enh] Allow Wysiwyg spellcheck (#13236) @ronronscelestes
- [core:strapi] Admin UI Catalan translation (#13054) @davefv
- [core:upload] Display error when loading upload provider (#13092) @petersg83
🚨 Security
- [core:admin] Sanitize hidden attributes from admin API responses (#13185) @Convly
📚 Migration guides can be found here 📚
Related news
GHSA-4phg-hpqm-c3j4: Strapi mishandles hidden attributes within admin API responses
Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses.