Unauthorized Access to Private Fields in User Registration API in strapi
CVE-2023-39345

7.6HIGH

Key Information:

Vendor: Strapi
Status: Strapi
Vendor: CVE Published:; 6 November 2023

What is CVE-2023-39345?

Strapi, an open-source headless Content Management System, exposed a vulnerability due to inadequate restrictions on write access in the user registration endpoint. This flaw allows malicious users to unintentionally modify their user records. The issue has been rectified in version 4.13.1. It is strongly advised for users to update their installations to this version as there are no workarounds available to mitigate the risk.

Affected Version(s)

strapi >= 4.0.0, < 4.13.1

References

https://github.com/strapi/strapi/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 6, 2023
Vulnerability Reserved
Jul 28, 2023

CVE-2023-39345 Data

JSON