CVE-2023-48218
Bypass of field access control in strapi-plugin-protected-populate
5.3
MEDIUM
CVSS 3.1
EPSS 0.30%
Description
### Impact Users are able to bypass the field level security. This means fields that they where not allowed to populate could be populated anyway even in the event that they tried to populate something that they don't have access to. ### Patches This issue has been patched in 1.3.4 ### Workarounds None
How to fix CVE-2023-48218
To remediate CVE-2023-48218, upgrade the affected package to a fixed version below.
- —upgrade to 1.3.4 or later
Is CVE-2023-48218 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.3.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
References (5)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-48218
- PATCHgithub.com/strapi-community/strapi-plugin-protected-populate
- WEBgithub.com/strapi-community/strapi-plugin-protected-populate/commit/05441066d64e09dd55937d9f089962e9ebe2fb39
- WEBgithub.com/strapi-community/strapi-plugin-protected-populate/releases/tag/v1.3.4