Published: 19/04/2023 Updated: 01/05/2023

CVSS v3 Base Score: 4.9 | Impact Score: 3.6 | Exploitability Score: 1.2

VMScore: 0

Strapi up to and including 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super admin access, then this can be exploited to discover the password hash and password reset token of all users. If the attacker has admin panel access to an account with permission to access the username and email of API users with a lower privileged role (e.g., Editor or Author), then this can be exploited to discover sensitive information for all API users but not other admin accounts.

Vulnerable Product	Search on Vulmon	Subscribe to Product
strapi strapi

CVE-2023-22894

Unauthenticated Strapi Exploit: CVE-2023-22894 This repository contains a proof of concept (PoC) exploit for CVE-2023-22894, which allows unauthenticated users to leak sensitive information and hijack Strapi administrator accounts by exploiting Strapi's filtering functionality on private fields Overview This exploit targets Strapi versions <=471 and demonstrates

CWE-312 https://www.ghostccamm.com/blog/multi_strapi_vulns/https://github.com/strapi/strapi/releases https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve https://nvd.nist.gov https://github.com/Saboor-Hakimi/CVE-2023-22894

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2023-22894

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect