CVE-2024-56143

High CVSS: 8.2

Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters for private fields. An attacker can access private fields, including admin passwords and reset tokens, by crafting queries with the lookup parameter. This vulnerability is fixed in 5.5.2.

Vendor

Strapi

Product

Strapi

CWE

CWE-639

Yayın Tarihi

2025-10-16 16:15:36

Güncelleme

2025-12-31 01:05:40

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-639 Strapi HIGH Strapi 2025

Referanslar

https://github.com/strapi/strapi/commit/0c6e0953ae1e62afae9329de7ae6d6a5e21b95b8 https://github.com/strapi/strapi/security/advisories/GHSA-495j-h493-42q2

Benzer Kayıtlar

Medium

CVE-2025-25298

Strapi is an open source headless CMS. The @strapi/core package before version 5.10.3 does not enforce a maximum passwor…

Medium

CVE-2025-53092

Strapi is an open source headless content management system. Strapi versions prior to 5.20.0 contain a CORS misconfigura…

Medium

CVE-2024-52588

Strapi is an open-source content management system. Prior to version 4.25.2, inputting a local domain into the Webhooks…