CVE-2023-22894

Name of the Vulnerable Software and Affected Versions Strapi versions 4.5.5 and earlier Strapi versions 4.7.1 and earlier

Description The issue allows attackers with access to the admin panel to discover sensitive user details by exploiting the query filter. An attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super admin access, this can be exploited to discover the password hash and password reset token of all users. For attackers with admin panel access to an account with permission to access the username and email of API users with a lower privileged role, this can be exploited to discover sensitive information for all API users but not other admin accounts. Unauthenticated attackers can also exploit this to discover sensitive user details for Strapi administrators and API users, potentially hijacking Strapi administrator accounts and gaining unauthorized access.

Recommendations For Strapi versions 4.5.5 and earlier, update to a version later than 4.5.5 to resolve the issue. For Strapi versions 4.7.1 and earlier, update to a version later than 4.7.1 to resolve the issue. As a temporary workaround, consider restricting access to the admin panel and limiting the permissions of admin accounts to minimize the risk of exploitation. Restrict access to sensitive user details and consider implementing additional security measures to protect against unauthorized access.