Vulnerabilities > CVE-2024-29181 - Authorization Bypass Through User-Controlled Key vulnerability in Strapi

047910
CVSS 3.5 - LOW
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
LOW
Integrity impact
NONE
Availability impact
NONE
network
low complexity
strapi
CWE-639
NVD
Published: 2024-06-12
Updated: 2024-09-26

Summary

Strapi is an open-source content management system. Prior to version 4.19.1, a super admin can create a collection where an item in the collection has an association to another collection. When this happens, another user with Author Role can see the list of associated items they did not create. They should see nothing but their own items they created not all items ever created. Users should upgrade @strapi/plugin-content-manager to version 4.19.1 to receive a patch.

Vulnerable Configurations

Part Description Count
Application
Strapi
536

Common Weakness Enumeration (CWE)

References