CVE-2023-39345

HIGH

Strapi < 4.13.1 - Unauthenticated Private Field Modification via User Registration Endpoint

Title source: llm

Description

strapi is an open-source headless CMS. Versions prior to 4.13.1 did not properly restrict write access to fielded marked as private in the user registration endpoint. As such malicious users may be able to errantly modify their user records. This issue has been addressed in version 4.13.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References (1)

Core 1

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/strapi/strapi/security/advisories/GHSA-gc7p-j5xm-xxh2

Scores

CVSS v3 7.6

EPSS 0.0050

EPSS Percentile 38.5%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-287

Status published

Products (3)

strapi/plugin-users-permissions 4.0.0 - 4.13.1npm

strapi/strapi 4.0.0 - 4.13.1

strapi/strapi 4.0.0 - 4.13.1npm

Published Nov 06, 2023

Tracked Since Feb 18, 2026