N/A

Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super admin access, then this can be exploited to discover the password hash and password reset token of all users. If the attacker has admin panel access to an account with permission to access the username and email of API users with a lower privileged role (e.g., Editor or Author), then this can be exploited to discover sensitive information for all API users but not other admin accounts.

N/A

N/A

Strapi 安全漏洞

Strapi是一套开源的内容管理系统（CMS）。 Strapi 4.5.5之前版本存在安全漏洞，该漏洞源于允许攻击者通过利用查询过滤器来发现敏感的用户详细信息，攻击者利用该漏洞可以发现所有用户的密码哈希和密码重置令牌，或者发现所有 API 用户的敏感信息。

N/A

N/A