@strapi/plugin-content-manager leaks data via relations via the Admin Panel
- Severity:
- Low
Description
- If a super admin creates a collection where an item in the collection has an association to another collection, a user with the Author Role can see the list of associated items they did not create. They should only see their own items that they created, not all items ever created.
Recommendation
Update the @strapi/plugin-content-manager package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.19.1
- Patched version(s): 4.19.1
References
Related Issues
- Strapi may leak sensitive user information, user reset password, tokens via content-manager views (GHSA-v8gg-4mq2-88q4) - CVE-2023-36472
- Strapi may leak sensitive user information, user reset password, tokens via content-manager views (GHSA-v8gg-4mq2-88q4) 2 - CVE-2023-36472
- Strapi may leak sensitive user information, user reset password, tokens via content-manager views - CVE-2023-36472
- @strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass - CVE-2024-34065
- Tags:
- npm
- @strapi/plugin-content-manager
Anything's wrong? Let us know Last updated on June 14, 2024