mirror of
https://github.com/0xMarcio/cve.git
synced 2025-05-05 18:27:17 +00:00
943 B
943 B
CVE-2023-36472
Description
Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The /content-manager/relations route does not remove private fields or ensure that they can't be selected. This issue is fixed in version 4.11.7.
POC
Reference
Github
No PoCs found on GitHub currently.