CVE-2024-29181

Published: Jun 12, 2024Modified: Nov 21, 2024

3.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Exploitability: 2.1 / Impact: 1.4

Source: NVD

Description

Strapi is an open-source content management system. Prior to version 4.19.1, a super admin can create a collection where an item in the collection has an association to another collection. When this happens, another user with Author Role can see the list of associated items they did not create. They should see nothing but their own items they created not all items ever created. Users should upgrade @strapi/plugin-content-manager to version 4.19.1 to receive a patch.

Affected (1)

Products: Strapi: Strapi

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Strapi Strapi	Before 4.19.1

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (4)

https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6

Source: security-advisories@github.com

Patch

https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

Timeline

No history available yet.