Home > Vulnerability Database > CVE-2023-22894

Mend.io Vulnerability Database

CVE-2023-22894

Good to know:

Date: April 19, 2023

Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super admin access, then this can be exploited to discover the password hash and password reset token of all users. If the attacker has admin panel access to an account with permission to access the username and email of API users with a lower privileged role (e.g., Editor or Author), then this can be exploited to discover sensitive information for all API users but not other admin accounts.

Language: JS

Severity Score

4.9

Related Resources (5)

Url: https://github.com/strapi/strapi/releases

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-22894

Url: https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve

Url: https://www.ghostccamm.com/blog/multi_strapi_vulns/

Url: https://www.mend.io/vulnerability-database/CVE-2023-22894

Severity Score

4.9

Weakness Type (CWE)

Cleartext Storage of Sensitive Information

CWE-312

Top Fix

Upgrade Version

Upgrade to version @strapi/strapi - 4.8.0

Learn More

CVSS v3.1

Base Score:	4.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-22894

Good to know:

Date: April 19, 2023

Language: JS

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?