CVE-2023-48218

Name of the Vulnerable Software and Affected Versions Strapi Protected Populate Plugin versions prior to 1.3.4

Description The issue allows users to bypass field level security, enabling them to populate fields they do not have access to. This affects get endpoints, which are protected by the Strapi Protected Populate Plugin to prevent revealing too much information.

Recommendations For versions prior to 1.3.4, update to version 1.3.4 to resolve the issue. As a temporary workaround, consider restricting access to sensitive fields until the update can be applied. Avoid using the get endpoints to populate sensitive fields until the issue is resolved.