Strapi's field level permissions not being respected in relationship title
- Severity:
- Medium
Description
Field level permissions not being respected in relationship title. If I have a relationship title and the relationship shows a field I don’t have permission to see I will still be visible.
Recommendation
Update the @strapi/plugin-content-manager package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.12.1
- Patched version(s): 4.12.1
References
Related Issues
- Strapi may leak sensitive user information, user reset password, tokens via content-manager views - @strapi/plugin-content-manager - CVE-2023-36472
- Strapi Improper Rate Limiting vulnerability - @strapi/plugin-users-permissions - CVE-2023-38507
- Unauthorized Access to Private Fields in User Registration API - @strapi/plugin-users-permissions - CVE-2023-39345
- Strapi: Password Reset Does Not Revoke Existing Refresh Sessions - @strapi/plugin-users-permissions - CVE-2026-22706
You might also like:
- Tags:
- npm
- @strapi/plugin-content-manager
Anything's wrong? Let us know Last updated on September 25, 2024


