Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Strapi Allows Unauthorized Access to Private Fields via parms.lookup
Vulnerability Description
Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters for private fields. An attacker can access private fields, including admin passwords and reset tokens, by crafting queries with the lookup parameter. This vulnerability is fixed in 5.5.2.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Vulnerability Type
通过用户控制密钥绕过授权机制
Vulnerability Title
Strapi 安全漏洞
Vulnerability Description
Strapi是法国strapi社区的一套开源的内容管理系统(CMS)。 Strapi 5.0.0版本至5.5.2之前版本存在安全漏洞,该漏洞源于文档服务的查找操作未正确清理私有字段的查询参数,可能导致攻击者通过特制查询访问私有字段。
CVSS Information
N/A
Vulnerability Type
N/A