CVE-2024-29181

Name of the Vulnerable Software and Affected Versions Strapi versions prior to 4.19.1

Description The issue concerns Strapi, an open-source content management system. In affected versions, when a super admin creates a collection with an item associated to another collection, a user with the Author Role can see the list of associated items they did not create. Ideally, they should only see their own items. This results in authors having access to protected data created by admins, which could include sensitive information like passwords or emails.

Recommendations For Strapi versions prior to 4.19.1, upgrade @strapi/plugin-content-manager to version 4.19.1 to receive a patch. As a temporary workaround, consider restricting access to associated items in collections to minimize the risk of unauthorized data access.