medium
6.8
CWE
200 400
Advisory Published
CVE Published
Updated

CVE-2023-37263: Strapi's field level permissions not being respected in relationship title

First published: Wed Sep 13 2023(Updated: )

### Summary Field level permissions not being respected in relationship title. If I have a relationship title and the relationship shows a field I don't have permission to see I will still be visible. ### Details No RBAC checks on on the relationship the relation endpoint returns ### PoC #### Setup Create a fresh strapi instance Create a new content type in the newly created content type add a relation to the users-permissions user. Save. Create a users-permissions user Use your created content type and create an entry in it related to the users-permisisons user Go to settings -> Admin panel -> Roles -> Author Give the author role full permissions on the content type your created. Make sure they don't have any permission to see User Save Create a new admin account with only the author role #### CVE login on the newly created author acount. go to the content manager to the colection type you created with the relationship to users_permissions_user You now see a field you don't have permissions to view. ### Impact RBAC field level checks leaks data selected by the admin user as relationship title What could be sensitive fields that they should not be allowed to see. by the person having this specific role.

Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
npm/@strapi/plugin-content-manager<4.12.1
4.12.1
Strapi Strapi<4.12.1
<4.12.1

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2023-37263?

    CVE-2023-37263 is a vulnerability in the Strapi open-source headless content management system that allows unauthorized users to see fields they do not have permission to see in a relationship title.

  • What is the severity of CVE-2023-37263?

    The severity of CVE-2023-37263 is medium with a CVSS score of 6.8.

  • How does CVE-2023-37263 affect Strapi?

    CVE-2023-37263 affects Strapi versions prior to 4.12.1, specifically in the handling of field level permissions in relationship titles.

  • Is there a fix for CVE-2023-37263?

    Yes, the vulnerability has been fixed in Strapi version 4.12.1.

  • Where can I find more information about CVE-2023-37263?

    More information about CVE-2023-37263 can be found at the following references: [Link to GitHub Advisory](https://github.com/strapi/strapi/security/advisories/GHSA-m284-85mf-cgrc), [Link to Strapi Release](https://github.com/strapi/strapi/releases/tag/v4.12.1), [Link to GitHub Advisory](https://github.com/advisories/GHSA-m284-85mf-cgrc).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203