CVE-2023-39345

Name of the Vulnerable Software and Affected Versions strapi versions prior to 4.13.1

Description strapi is an open-source headless CMS. The issue arises from the improper restriction of write access to fields marked as private in the user registration endpoint. This allows malicious users to modify their user records. There are no known workarounds for this issue.

Recommendations For versions prior to 4.13.1, upgrade to version 4.13.1 to address the issue. As a temporary workaround, consider implementing a custom sanitize function to filter out private fields, similar to the provided code snippet, until a patch is available. Restrict access to the user registration endpoint to minimize the risk of exploitation. Avoid using the private fields in the affected API endpoint until the issue is resolved.