CVE-2023-48218 – strapi-plugin-protected-populate

Package

Manager: npm
Name: strapi-plugin-protected-populate
Vulnerable Version: >=0 <1.3.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00296 pctl0.5246

Details

Bypass of field access control in strapi-plugin-protected-populate ### Impact Users are able to bypass the field level security. This means fields that they where not allowed to populate could be populated anyway even in the event that they tried to populate something that they don't have access to. ### Patches This issue has been patched in 1.3.4 ### Workarounds None

Metadata

Created: 2023-11-20T21:01:43Z
Modified: 2023-11-20T21:01:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-6h67-934r-82g7/GHSA-6h67-934r-82g7.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-6h67-934r-82g7
Finding: F006
Auto approve: 1