{"url":"http://public2.vulnerablecode.io/api/packages/61971?format=json","purl":"pkg:npm/%40strapi/strapi@4.1.5","type":"npm","namespace":"@strapi","name":"strapi","version":"4.1.5","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.13.1","latest_non_vulnerable_version":"5.37.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/111440?format=json","vulnerability_id":"VCID-1j5t-31jf-aucc","summary":"Improper Removal of Sensitive Information Before Storage or Transfer in Strapi\nAn authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). There are many scenarios in which such details from API users can leak in the JSON response within the admin panel, either through a direct or indirect relationship. Access to this information enables a user to compromise these users’ accounts if the password reset API endpoints have been enabled. In a worst-case scenario, a low-privileged user could get access to a high-privileged API account, and could read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-30618","reference_id":"","reference_type":"","scores":[{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60431","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60479","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-30618"},{"reference_url":"https://github.com/strapi/strapi","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-30618","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-30618"},{"reference_url":"https://www.synopsys.com/blogs/software-security/cyrc-advisory-strapi","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.synopsys.com/blogs/software-security/cyrc-advisory-strapi"},{"reference_url":"https://github.com/advisories/GHSA-vgj7-895j-gpr6","reference_id":"GHSA-vgj7-895j-gpr6","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-vgj7-895j-gpr6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/152633?format=json","purl":"pkg:npm/%40strapi/strapi@4.1.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bpn-j31w-k7gb"},{"vulnerability":"VCID-6tkp-v5jw-dke9"},{"vulnerability":"VCID-apu8-13ex-gqhx"},{"vulnerability":"VCID-dxss-at1b-vkaq"},{"vulnerability":"VCID-jpqv-dukr-fyhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/strapi@4.1.9"}],"aliases":["CVE-2022-30618","GHSA-vgj7-895j-gpr6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1j5t-31jf-aucc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45715?format=json","vulnerability_id":"VCID-5bpn-j31w-k7gb","summary":"Exposure of Sensitive Information to an Unauthorized Actor\nStrapi is an open-source headless content management system. Prior to version 4.10.8, anyone (Strapi developers, users, plugins) can make every attribute of a Content-Type public without knowing it. The vulnerability only affects the handling of content types by Strapi, not the actual content types themselves. Users can use plugins or modify their own content types without realizing that the `privateAttributes` getter is being removed, which can result in any attribute becoming public. This can lead to sensitive information being exposed or the entire system being taken control of by an attacker(having access to password hashes). Anyone can be impacted, depending on how people are using/extending content-types. If the users are mutating the content-type, they will not be affected. Version 4.10.8 contains a patch for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34093","reference_id":"","reference_type":"","scores":[{"value":"0.00101","scoring_system":"epss","scoring_elements":"0.2753","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34093"},{"reference_url":"https://github.com/strapi/strapi","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi"},{"reference_url":"https://github.com/strapi/strapi/commit/2fa8f30371bfd1db44c15e5747860ee5789096de","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-03T20:03:21Z/"}],"url":"https://github.com/strapi/strapi/commit/2fa8f30371bfd1db44c15e5747860ee5789096de"},{"reference_url":"https://github.com/strapi/strapi/releases/tag/v4.10.8","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-03T20:03:21Z/"}],"url":"https://github.com/strapi/strapi/releases/tag/v4.10.8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34093","reference_id":"CVE-2023-34093","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34093"},{"reference_url":"https://github.com/advisories/GHSA-chmr-rg2f-9jmf","reference_id":"GHSA-chmr-rg2f-9jmf","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-chmr-rg2f-9jmf"},{"reference_url":"https://github.com/strapi/strapi/security/advisories/GHSA-chmr-rg2f-9jmf","reference_id":"GHSA-chmr-rg2f-9jmf","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-03T20:03:21Z/"}],"url":"https://github.com/strapi/strapi/security/advisories/GHSA-chmr-rg2f-9jmf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66257?format=json","purl":"pkg:npm/%40strapi/strapi@4.10.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jpqv-dukr-fyhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/strapi@4.10.8"}],"aliases":["CVE-2023-34093","GHSA-chmr-rg2f-9jmf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5bpn-j31w-k7gb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44979?format=json","vulnerability_id":"VCID-6tkp-v5jw-dke9","summary":"Cleartext Storage of Sensitive Information\nStrapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super admin access, then this can be exploited to discover the password hash and password reset token of all users. If the attacker has admin panel access to an account with permission to access the username and email of API users with a lower privileged role (e.g., Editor or Author), then this can be exploited to discover sensitive information for all API users but not other admin accounts.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22894","reference_id":"","reference_type":"","scores":[{"value":"0.17914","scoring_system":"epss","scoring_elements":"0.95268","published_at":"2026-06-04T12:55:00Z"},{"value":"0.17914","scoring_system":"epss","scoring_elements":"0.95275","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22894"},{"reference_url":"https://github.com/strapi/strapi","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi"},{"reference_url":"https://github.com/strapi/strapi/releases","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-05T16:37:12Z/"}],"url":"https://github.com/strapi/strapi/releases"},{"reference_url":"https://github.com/strapi/strapi/releases/tag/v4.8.0","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi/releases/tag/v4.8.0"},{"reference_url":"https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-05T16:37:12Z/"}],"url":"https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve"},{"reference_url":"https://www.ghostccamm.com/blog/multi_strapi_vulns","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.ghostccamm.com/blog/multi_strapi_vulns"},{"reference_url":"https://www.ghostccamm.com/blog/multi_strapi_vulns/","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-05T16:37:12Z/"}],"url":"https://www.ghostccamm.com/blog/multi_strapi_vulns/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22894","reference_id":"CVE-2023-22894","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22894"},{"reference_url":"https://github.com/advisories/GHSA-jjqf-j4w7-92w8","reference_id":"GHSA-jjqf-j4w7-92w8","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jjqf-j4w7-92w8"},{"reference_url":"https://github.com/strapi/strapi/security/advisories/GHSA-jjqf-j4w7-92w8","reference_id":"GHSA-jjqf-j4w7-92w8","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi/security/advisories/GHSA-jjqf-j4w7-92w8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64820?format=json","purl":"pkg:npm/%40strapi/strapi@4.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bpn-j31w-k7gb"},{"vulnerability":"VCID-jpqv-dukr-fyhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/strapi@4.8.0"}],"aliases":["CVE-2023-22894","GHSA-jjqf-j4w7-92w8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6tkp-v5jw-dke9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/110490?format=json","vulnerability_id":"VCID-apu8-13ex-gqhx","summary":"Strapi 4.1.12 Cross-site Scripting via crafted file\nAn unrestricted file upload vulnerability in the Add New Assets function of Strapi v4.1.12 allows attackers to execute arbitrary code via a crafted file. After an authenticated attacker uploads a file containing a malicious URL, a victim copies and pastes the malicious URL into a new tab to receive the XSS payload.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-32114","reference_id":"","reference_type":"","scores":[{"value":"0.02831","scoring_system":"epss","scoring_elements":"0.86475","published_at":"2026-06-05T12:55:00Z"},{"value":"0.02831","scoring_system":"epss","scoring_elements":"0.86452","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-32114"},{"reference_url":"https://docs.strapi.io/dev-docs/configurations/public-assets","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.strapi.io/dev-docs/configurations/public-assets"},{"reference_url":"https://docs.strapi.io/user-docs/users-roles-permissions/configuring-administrator-roles","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.strapi.io/user-docs/users-roles-permissions/configuring-administrator-roles"},{"reference_url":"https://github.com/bypazs/strapi","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bypazs/strapi"},{"reference_url":"https://github.com/strapi/strapi","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi"},{"reference_url":"https://github.com/strapi/strapi/blob/d9277d616b4478a3839e79e47330a4aaf167a2f1/packages/core/content-type-builder/admin/src/components/AllowedTypesSelect/index.js#L14","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi/blob/d9277d616b4478a3839e79e47330a4aaf167a2f1/packages/core/content-type-builder/admin/src/components/AllowedTypesSelect/index.js#L14"},{"reference_url":"https://github.com/strapi/strapi/blob/d9277d616b4478a3839e79e47330a4aaf167a2f1/packages/core/upload/admin/src/components/MediaLibraryInput/index.js#L33","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi/blob/d9277d616b4478a3839e79e47330a4aaf167a2f1/packages/core/upload/admin/src/components/MediaLibraryInput/index.js#L33"},{"reference_url":"https://grimthereaperteam.medium.com/strapi-v4-1-12-unrestricted-file-upload-b993bfd07e4e","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://grimthereaperteam.medium.com/strapi-v4-1-12-unrestricted-file-upload-b993bfd07e4e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-32114","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-32114"},{"reference_url":"https://github.com/advisories/GHSA-4vm8-j95f-j6v5","reference_id":"GHSA-4vm8-j95f-j6v5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4vm8-j95f-j6v5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/596882?format=json","purl":"pkg:npm/%40strapi/strapi@4.2.0-alpha.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bpn-j31w-k7gb"},{"vulnerability":"VCID-6tkp-v5jw-dke9"},{"vulnerability":"VCID-jpqv-dukr-fyhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/strapi@4.2.0-alpha.0"}],"aliases":["CVE-2022-32114","GHSA-4vm8-j95f-j6v5"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-apu8-13ex-gqhx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/109177?format=json","vulnerability_id":"VCID-dxss-at1b-vkaq","summary":"Strapi mishandles hidden attributes within admin API responses\nStrapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31367","reference_id":"","reference_type":"","scores":[{"value":"0.00665","scoring_system":"epss","scoring_elements":"0.71643","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00665","scoring_system":"epss","scoring_elements":"0.71599","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31367"},{"reference_url":"https://github.com/kos0ng/CVEs/tree/main/CVE-2022-31367","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-22T13:50:00Z/"}],"url":"https://github.com/kos0ng/CVEs/tree/main/CVE-2022-31367"},{"reference_url":"https://github.com/strapi/strapi","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi"},{"reference_url":"https://github.com/strapi/strapi/pull/13185","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi/pull/13185"},{"reference_url":"https://github.com/strapi/strapi/pull/13189","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi/pull/13189"},{"reference_url":"https://github.com/strapi/strapi/releases/tag/v3.6.10","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-22T13:50:00Z/"}],"url":"https://github.com/strapi/strapi/releases/tag/v3.6.10"},{"reference_url":"https://github.com/strapi/strapi/releases/tag/v4.1.10","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-22T13:50:00Z/"}],"url":"https://github.com/strapi/strapi/releases/tag/v4.1.10"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31367","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31367"},{"reference_url":"https://github.com/advisories/GHSA-4phg-hpqm-c3j4","reference_id":"GHSA-4phg-hpqm-c3j4","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4phg-hpqm-c3j4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/145974?format=json","purl":"pkg:npm/%40strapi/strapi@4.1.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bpn-j31w-k7gb"},{"vulnerability":"VCID-6tkp-v5jw-dke9"},{"vulnerability":"VCID-apu8-13ex-gqhx"},{"vulnerability":"VCID-jpqv-dukr-fyhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/strapi@4.1.10"}],"aliases":["CVE-2022-31367","GHSA-4phg-hpqm-c3j4"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dxss-at1b-vkaq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46333?format=json","vulnerability_id":"VCID-jpqv-dukr-fyhu","summary":"Unauthorized Access to Private Fields in User Registration API\n### System Details\n| Name   | Value         |\n|----------|------------------------|\n| OS    | Windows 11       |\n| Version | 4.11.1 (node v16.14.2) |\n| Database | mysql         |\n\n\n### Description\nI marked some fields as private fields in user content-type, and tried to register as a new user via api, at the same time I added content to fill the private fields and sent a post request, and as you can see from the images below, I can write to the private fields. To prevent this, I went to the extension area and tried to extend the register method, for this I wanted to do it using the sanitizeInput function that I know in the source codes of the strap. But the sanitizeInput function does not filter out private fields.\n\n```js\n const { auth } = ctx.state;\n const data = ctx.request.body;\n const userSchema = strapi.getModel(\"plugin::users-permissions.user\");\n\n sanitize.contentAPI.input(data, userSchema, { auth });\n```\n\nhere's the solution I've temporarily kept to myself, code snippet\n\n```js\n const body = ctx.request.body;\n\n const { attributes } = strapi.getModel(\"plugin::users-permissions.user\");\n\n const sanitizedData = _.omitBy(body, (data, key) => {\n  const attribute = attributes[key];\n\n  if (_.isNil(attribute)) {\n   return false;\n  }\n\n  //? If you want, you can throw an error for fields that we does not expect.\n\n  // if (_.isNil(attribute))\n  //  throw new ApplicationError(`Unexpected value ${key}`);\n\n  // if private value is true, we do not want to send it to the database.\n  return attribute.private;\n });\n\n return sanitizedData;\n```","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-39345","reference_id":"","reference_type":"","scores":[{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.23547","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-39345"},{"reference_url":"https://github.com/strapi/strapi","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi"},{"reference_url":"https://strapi.io/blog/security-disclosure-of-vulnerabilities-sept-2023","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://strapi.io/blog/security-disclosure-of-vulnerabilities-sept-2023"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39345","reference_id":"CVE-2023-39345","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39345"},{"reference_url":"https://github.com/advisories/GHSA-gc7p-j5xm-xxh2","reference_id":"GHSA-gc7p-j5xm-xxh2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-gc7p-j5xm-xxh2"},{"reference_url":"https://github.com/strapi/strapi/security/advisories/GHSA-gc7p-j5xm-xxh2","reference_id":"GHSA-gc7p-j5xm-xxh2","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T19:26:27Z/"}],"url":"https://github.com/strapi/strapi/security/advisories/GHSA-gc7p-j5xm-xxh2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67608?format=json","purl":"pkg:npm/%40strapi/strapi@4.13.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/strapi@4.13.1"}],"aliases":["CVE-2023-39345","GHSA-gc7p-j5xm-xxh2"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jpqv-dukr-fyhu"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43244?format=json","vulnerability_id":"VCID-qcu6-ntuc-byea","summary":"Insecure Storage of Sensitive Information\nStoring passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext password, leading to getting API documentation for further API attacks.","references":[{"reference_url":"http://packetstormsecurity.com/files/166915/Strapi-3.6.8-Password-Disclosure-Insecure-Handling.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/166915/Strapi-3.6.8-Password-Disclosure-Insecure-Handling.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-46440","reference_id":"","reference_type":"","scores":[{"value":"0.03089","scoring_system":"epss","scoring_elements":"0.87049","published_at":"2026-06-05T12:55:00Z"},{"value":"0.03089","scoring_system":"epss","scoring_elements":"0.87027","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-46440"},{"reference_url":"https://github.com/strapi/strapi","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi"},{"reference_url":"https://github.com/strapi/strapi/pull/12246","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi/pull/12246"},{"reference_url":"https://hub.docker.com/r/strapi/strapi","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hub.docker.com/r/strapi/strapi"},{"reference_url":"https://strapi.io","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://strapi.io"},{"reference_url":"https://strapi.io/","reference_id":"","reference_type":"","scores":[],"url":"https://strapi.io/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-46440","reference_id":"CVE-2021-46440","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-46440"},{"reference_url":"https://github.com/advisories/GHSA-85vg-grr5-pw42","reference_id":"GHSA-85vg-grr5-pw42","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-85vg-grr5-pw42"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61971?format=json","purl":"pkg:npm/%40strapi/strapi@4.1.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j5t-31jf-aucc"},{"vulnerability":"VCID-5bpn-j31w-k7gb"},{"vulnerability":"VCID-6tkp-v5jw-dke9"},{"vulnerability":"VCID-apu8-13ex-gqhx"},{"vulnerability":"VCID-dxss-at1b-vkaq"},{"vulnerability":"VCID-jpqv-dukr-fyhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/strapi@4.1.5"}],"aliases":["CVE-2021-46440","GHSA-85vg-grr5-pw42"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qcu6-ntuc-byea"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/strapi@4.1.5"}