Making all attributes on a content-type public without noticing it - @strapi/utils

Description

Anyone (Strapi developers, users, plugins) can make every attribute of a Content-Type public without knowing it.

Recommendation

Update the @strapi/utils package to the latest compatible version. Followings are version details:

• Affected version(s): < 4.10.8
• Patched version(s): 4.10.8

References

• GHSA-chmr-rg2f-9jmf
• CVE-2023-34093
• CWE-200
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Making all attributes on a content-type public without noticing it - @strapi/database - CVE-2023-34093
• Making all attributes on a content-type public without noticing it - CVE-2023-34093
• Strapi may leak sensitive user information, user reset password, tokens via content-manager views - @strapi/utils - CVE-2023-36472
• Strapi Vulnerable to SQL Injection in Content Type Builder - CVE-2026-22599

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

@strapi/utils