CVE-2022-30618— Strapi 安全漏洞

N/A

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). There are many scenarios in which such details from API users can leak in the JSON response within the admin panel, either through a direct or indirect relationship. Access to this information enables a user to compromise these users’ accounts if the password reset API endpoints have been enabled. In a worst-case scenario, a low-privileged user could get access to a high-privileged API account, and could read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users.

N/A

敏感数据的不恰当跨边界移除

Strapi 安全漏洞

Strapi是一套开源的内容管理系统（CMS）。 Strapi 3.6.9版本之前的3.0版本和4.1.9版本之前的4.0版本存在安全漏洞，该漏洞源于来自 API 用户的详细信息可能会通过直接或间接关系泄漏到管理面板中的 JSON 响应中。如果启用了密码重置 API 端点，则访问此信息使用户能够破坏这些用户的帐户。

N/A

N/A