CVE-2023-36472

Name of the Vulnerable Software and Affected Versions Strapi versions prior to 4.11.7

Description The issue allows an unauthorized actor to access user reset password tokens if they have configure view permissions. The /content-manager/relations route does not remove private fields or ensure that they can't be selected. This can lead to privilege escalation, as a non-admin user can obtain the reset token of an admin user's account and use it to reset the password.

Recommendations For versions prior to 4.11.7, update to version 4.11.7 to resolve the issue. As a temporary workaround, consider restricting access to the /content-manager/relations route or disabling the configure view permission for non-admin users until the update is applied.