CVE-2023-34235

Name of the Vulnerable Software and Affected Versions Strapi versions prior to 4.10.8

Description The issue allows for the leakage of private fields when using the t(number) prefix. This is possible because the Knex query allows users to change the default prefix. For example, changing the prefix to match another table can alter the query from password to t1.password, bypassing filtering protections that normally protect password. This can lead to filtering attacks on sensitive information, including admin passwords and reset tokens.

Recommendations For versions prior to 4.10.8, update to version 4.10.8 to resolve the issue. As a temporary workaround, consider avoiding the use of the t(number) prefix in queries until the update can be applied. Restrict access to sensitive fields and tables to minimize the risk of exploitation. Avoid using the password field in queries with altered prefixes until the issue is resolved.