Strapi is an open-source content management system. Prior to version 4.19.1, a super admin can create a collection where an item in the collection has an association to another collection. When this happens, another user with Author Role can see the list of associated items they did not create. They should see nothing but their own items they created not all items ever created. Users should upgrade @strapi/plugin-content-manager to version 4.19.1 to receive a patch.
References
Link | Resource |
---|---|
https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6 | Patch |
https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m | Exploit Vendor Advisory |
Configurations
History
26 Sep 2024, 14:48
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6 - Patch | |
References | () https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m - Exploit, Vendor Advisory | |
CPE | cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 3.5 |
First Time |
Strapi strapi
Strapi |
13 Jun 2024, 18:36
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
12 Jun 2024, 15:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-12 15:15
Updated : 2024-09-26 14:48
NVD link : CVE-2024-29181
Mitre link : CVE-2024-29181
CVE.ORG link : CVE-2024-29181
JSON object : View
Products Affected
strapi
- strapi
CWE
CWE-639
Authorization Bypass Through User-Controlled Key