CVE-2023-39345

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-39345
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-39345.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-39345
Aliases
Published
2023-11-06T18:26:20.324Z
Modified
2025-11-29T14:29:54.464882Z
Severity
  • 7.6 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L CVSS Calculator
Summary
Unauthorized Access to Private Fields in User Registration API in strapi
Details

strapi is an open-source headless CMS. Versions prior to 4.13.1 did not properly restrict write access to fielded marked as private in the user registration endpoint. As such malicious users may be able to errantly modify their user records. This issue has been addressed in version 4.13.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-287"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/39xxx/CVE-2023-39345.json"
}
References

Affected packages

Git / github.com/strapi/strapi

Affected ranges

Type
GIT
Repo
https://github.com/strapi/strapi
Events
Introduced
b181702f0202b2c6d645d42b195a831f25cd0b03
Fixed
a9afeb90c525d9b8ab033aa0c87e03a72134e0dd

Affected versions

v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.1.0
v4.1.1
v4.1.10
v4.1.10-beta.0
v4.1.11
v4.1.12
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9
v4.10.0
v4.10.1
v4.10.2
v4.10.4
v4.10.5
v4.10.6
v4.10.7
v4.10.8
v4.11.0
v4.11.1
v4.11.2
v4.11.3
v4.11.4
v4.11.5
v4.11.7
v4.12.0
v4.12.1
v4.12.5
v4.12.6
v4.12.7
v4.2.0-alpha.0
v4.2.0-beta.0
v4.2.0-beta.1
v4.2.0-beta.2
v4.2.0-beta.3
v4.2.0-beta.4
v4.2.2
v4.2.3
v4.3.0
v4.3.1
v4.3.2
v4.3.3
v4.3.4
v4.3.5
v4.3.6
v4.3.7
v4.3.8
v4.3.9
v4.4.0
v4.4.0-alpha.0
v4.4.1
v4.4.3
v4.4.4
v4.4.5
v4.4.6
v4.5.0
v4.5.1
v4.5.2
v4.5.3
v4.5.4
v4.5.5
v4.5.6
v4.6.0
v4.6.1
v4.6.2
v4.7.0
v4.7.1
v4.8.0
v4.8.1
v4.8.2
v4.9.0
v4.9.1
v4.9.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-39345.json"