CVE-2023-22894

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-22894

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-22894.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-22894

Aliases

GHSA-jjqf-j4w7-92w8

Published

2023-04-19T16:15:07.303Z

Modified

2025-11-20T12:17:04.948800Z

Severity

4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super admin access, then this can be exploited to discover the password hash and password reset token of all users. If the attacker has admin panel access to an account with permission to access the username and email of API users with a lower privileged role (e.g., Editor or Author), then this can be exploited to discover sensitive information for all API users but not other admin accounts.

References

Affected packages

Git / github.com/strapi/strapi

Affected ranges

Type: GIT
Repo: https://github.com/strapi/strapi
Events: Introduced

5a77b560e333604d052bfa83ad774769b5d6bc2e

Fixed

e239e408f99c9e61e6d02b38f01632ce67412f2a

Affected versions

v3.*

v3.2.1

v3.2.2

v3.2.3

v3.2.4

v3.2.5

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.3.4

v3.4.0

v3.4.1

v3.4.2

v3.4.3

v3.4.4

v3.4.5

v3.4.6

v3.5.0

v3.5.1

v3.5.2

v3.5.3

v3.5.4

v3.6.0

v3.6.1

v3.6.2

v3.6.3

v3.6.4

v3.6.5

v3.6.6

v3.6.7

v3.6.8

v4.*

v4.0.0

v4.0.0-beta.10

v4.0.0-beta.11

v4.0.0-beta.12

v4.0.0-beta.13

v4.0.0-beta.14

v4.0.0-beta.15

v4.0.0-beta.16

v4.0.0-beta.17

v4.0.0-beta.18

v4.0.0-beta.19

v4.0.0-beta.2

v4.0.0-beta.20

v4.0.0-beta.21

v4.0.0-beta.22

v4.0.0-beta.3

v4.0.0-beta.4

v4.0.0-beta.5

v4.0.0-beta.6

v4.0.0-beta.7

v4.0.0-beta.8

v4.0.0-beta.9

v4.0.1

v4.0.2

v4.0.3

v4.0.4

v4.0.5

v4.0.6

v4.0.7

v4.0.8

v4.1.0

v4.1.1

v4.1.10

v4.1.10-beta.0

v4.1.11

v4.1.12

v4.1.2

v4.1.3

v4.1.4

v4.1.5

v4.1.6

v4.1.7

v4.1.8

v4.1.9

v4.2.0-alpha.0

v4.2.0-beta.0

v4.2.0-beta.1

v4.2.0-beta.2

v4.2.0-beta.3

v4.2.0-beta.4

v4.2.2

v4.2.3

v4.3.0

v4.3.1

v4.3.2

v4.3.3

v4.3.4

v4.3.5

v4.3.6

v4.3.7

v4.3.8

v4.3.9

v4.4.0

v4.4.0-alpha.0

v4.4.1

v4.4.3

v4.4.4

v4.4.5

v4.4.6

v4.5.0

v4.5.1

v4.5.2

v4.5.3

v4.5.4

v4.5.5

v4.5.6

v4.6.0

v4.6.1

v4.6.2

v4.7.0

v4.7.1