GHSA-6h67-934r-82g7

Source

https://github.com/advisories/GHSA-6h67-934r-82g7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-6h67-934r-82g7/GHSA-6h67-934r-82g7.json

Aliases

• CVE-2023-48218

Published

2023-11-20T21:01:43Z

Modified

2023-11-20T21:27:09.273431Z

Details

Impact

Users are able to bypass the field level security. This means fields that they where not allowed to populate could be populated anyway even in the event that they tried to populate something that they don't have access to.

Patches

This issue has been patched in 1.3.4

Workarounds

None

References

• https://github.com/strapi-community/strapi-plugin-protected-populate/security/advisories/GHSA-6h67-934r-82g7
• https://nvd.nist.gov/vuln/detail/CVE-2023-48218
• https://github.com/strapi-community/strapi-plugin-protected-populate/commit/05441066d64e09dd55937d9f089962e9ebe2fb39
• https://github.com/strapi-community/strapi-plugin-protected-populate
• https://github.com/strapi-community/strapi-plugin-protected-populate/releases/tag/v1.3.4