CVE-2023-34093

Name of the Vulnerable Software and Affected Versions Strapi versions prior to 4.10.8

Description The issue affects the handling of content types by Strapi, allowing anyone to make every attribute of a Content-Type public without knowing it. This can lead to sensitive information being exposed or the entire system being taken control of by an attacker, having access to password hashes. The vulnerability occurs when users use plugins or modify their own content types, potentially removing the privateAttributes getter, which can result in any attribute becoming public. Everyone can be impacted, depending on how people are using or extending content-types, except those who are mutating the content-type.

Recommendations For versions prior to 4.10.8, update to version 4.10.8 to resolve the issue. As a temporary workaround, consider avoiding the use of plugins or modifying content types that could potentially remove the privateAttributes getter, and ensure that any modifications to content types are done with caution to prevent unintended exposure of attributes.