CVE-2023-37263

Name of the Vulnerable Software and Affected Versions Strapi versions prior to 4.12.1

Description The issue concerns field level permissions not being respected in the relationship title. If an actor has a relationship title and the relationship shows a field they don't have permission to see, the field will still be visible. This could lead to data leaks of sensitive fields that the actor should not be allowed to see. The problem arises due to the lack of Role-Based Access Control (RBAC) checks on the relationship endpoint.

Recommendations For Strapi versions prior to 4.12.1, update to version 4.12.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the relationship title feature until the update is applied. Additionally, review and adjust the permissions for all roles to ensure that they do not have access to sensitive fields they should not be able to see.