@strapi/plugin-content-manager leaks data via relations via the Admin Panel
- Severity:
- Low
Description
- If a super admin creates a collection where an item in the collection has an association to another collection, a user with the Author Role can see the list of associated items they did not create. They should only see their own items that they created, not all items ever created.
Recommendation
Update the @strapi/plugin-content-manager package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.19.1
- Patched version(s): 4.19.1
References
Related Issues
- Webrecorder packages are vulnerable to XSS through 404 error handling logic - CVE-2025-58765
- DOM Clobbering Gadget found in astro's client-side router that leads to XSS - CVE-2024-47885
- Strapi's field level permissions not being respected in relationship title - CVE-2023-37263
- Potential leakage of Sentry auth tokens by React Native SDK with Expo plugin - Vulnerability
- Tags:
- npm
- @strapi/plugin-content-manager
Anything's wrong? Let us know Last updated on June 14, 2024