Boegie19

**Name of the Vulnerable Software and Affected Versions** Strapi Protected Populate Plugin versions prior to 1.3.4 **Description** The issue allows users to bypass field level security, enabling them to populate fields they do not have access to. This affects `get` endpoints, which are protected by the Strapi Protected Populate Plugin to prevent revealing too much information. **Recommendations** For versions prior to 1.3.4, update to version 1.3.4 to resolve the issue. As a temporary workaround, consider restricting access to sensitive fields until the update can be applied. Avoid using the `get` endpoints to populate sensitive fields until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Strapi versions prior to 4.11.7 **Description** The issue allows an unauthorized actor to access user reset password tokens if they have configure view permissions. The `/content-manager/relations` route does not remove private fields or ensure that they can't be selected. This can lead to privilege escalation, as a non-admin user can obtain the reset token of an admin user's account and use it to reset the password. **Recommendations** For versions prior to 4.11.7, update to version 4.11.7 to resolve the issue. As a temporary workaround, consider restricting access to the `/content-manager/relations` route or disabling the configure view permission for non-admin users until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Strapi versions prior to 4.12.1 **Description** The issue concerns field level permissions not being respected in the relationship title. If an actor has a relationship title and the relationship shows a field they don't have permission to see, the field will still be visible. This could lead to data leaks of sensitive fields that the actor should not be allowed to see. The problem arises due to the lack of Role-Based Access Control (RBAC) checks on the relationship endpoint. **Recommendations** For Strapi versions prior to 4.12.1, update to version 4.12.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the relationship title feature until the update is applied. Additionally, review and adjust the permissions for all roles to ensure that they do not have access to sensitive fields they should not be able to see.

**Name of the Vulnerable Software and Affected Versions** Strapi versions prior to 4.10.8 **Description** The issue allows for the leakage of private fields when using the `t(number)` prefix. This is possible because the Knex query allows users to change the default prefix. For example, changing the prefix to match another table can alter the query from `password` to `t1.password`, bypassing filtering protections that normally protect `password`. This can lead to filtering attacks on sensitive information, including admin passwords and reset tokens. **Recommendations** For versions prior to 4.10.8, update to version 4.10.8 to resolve the issue. As a temporary workaround, consider avoiding the use of the `t(number)` prefix in queries until the update can be applied. Restrict access to sensitive fields and tables to minimize the risk of exploitation. Avoid using the `password` field in queries with altered prefixes until the issue is resolved.