Improper Removal of Sensitive Information Before Storage or Transfer in Strapi - @strapi/strapi

Severity:: High

Description

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user.

Recommendation

Update the @strapi/strapi package to the latest compatible version. Followings are version details:

Affected version(s): <= 4.0.0-beta.14
Patched version(s): 4.0.0-beta.15

References

GHSA-f6fm-r26q-p747
www.synopsys.com
CVE-2022-30617
CWE-212
CAPEC-310
OWASP 2021-A6

Related Issues

Improper Removal of Sensitive Information Before Storage or Transfer in Strapi - CVE-2022-30618
Strapi leaking sensitive user information by filtering on private fields - CVE-2023-22894
Exposure of Sensitive Information in eventsource - CVE-2022-1650
Strapi may leak sensitive user information, user reset password, tokens via content-manager views - CVE-2023-36472

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; @strapi/strapi

Anything's wrong? Let us know Last updated on January 27, 2023