Upgrade Strapi Now – Vulnerability Allows Malicious User Data Modification

CVECVE-2023-39345
CVSScvssV3_1: 7.6
SourceCVE-2023-39345

Strapi is an open-source headless CMS that allows users to build custom content APIs. A vulnerability was discovered in earlier versions that could allow malicious users to modify their user records in unintended ways.

Specifically, in Strapi versions prior to 4.13.1, the user registration endpoint did not properly restrict fields marked as “private”. This meant that any user could edit private profile fields, like email address, name, etc, without authorization.

A malicious user could exploit this to change private details or even impersonate other users on the site. They would just need to send modified data to the registration endpoint during the signup or login process.

The good news is that this issue has now been resolved in Strapi 4.13.1. All Strapi users are highly recommended to upgrade immediately to the latest version to protect themselves against any potential attacks attempting to abuse this vulnerability.

There are no workarounds other than upgrading, so be sure to take action right away if you have an older Strapi installation. Keeping your software up-to-date is one of the best ways to stay secure online.

References