Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The `/content-manager/relations` route does not remove private fields or ensure that they can't be selected. This issue is fixed in version 4.11.7.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| @strapi/plugin-content-manager(npm) | 0 | 4.11.7 | N/A |
| @strapi/admin(npm) | 0 | 4.11.7 | N/A |
| @strapi/utils(npm) | 0 | 4.11.7 | N/A |
CVSS Metrics
