GHSA-6h67-934r-82g7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6h67-934r-82g7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-6h67-934r-82g7/GHSA-6h67-934r-82g7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6h67-934r-82g7
- Aliases
- Published
- 2023-11-20T21:01:43Z
- Modified
- 2023-11-20T21:27:09.273431Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Bypass of field access control in strapi-plugin-protected-populate
- Details
-
Impact
Users are able to bypass the field level security. This means fields that they where not allowed to populate could be populated anyway even in the event that they tried to populate something that they don't have access to.
Patches
This issue has been patched in 1.3.4
Workarounds
None
- References
-
- https://github.com/strapi-community/strapi-plugin-protected-populate/security/advisories/GHSA-6h67-934r-82g7
- https://nvd.nist.gov/vuln/detail/CVE-2023-48218
- https://github.com/strapi-community/strapi-plugin-protected-populate/commit/05441066d64e09dd55937d9f089962e9ebe2fb39
- https://github.com/strapi-community/strapi-plugin-protected-populate
- https://github.com/strapi-community/strapi-plugin-protected-populate/releases/tag/v1.3.4
Affected packages
npm / strapi-plugin-protected-populate
Package
- Name
- strapi-plugin-protected-populate
- View open source insights on deps.dev
- Purl
- pkg:npm/strapi-plugin-protected-populate