HIGH🇵🇱 Wersja polska

CVE-2024-56143

CVSS 8.2v3.1pub. 2025-10-16upd. 2025-12-31

Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters for private fields. An attacker can access private fields, including admin passwords and reset tokens, by crafting queries with the lookup parameter. This vulnerability is fixed in 5.5.2.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
  • Strapi

    APP
    Strapi
    5.0.0 – 5.5.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-22599CRITICAL9.3PL ✓ten sam produkt

SQL Injection w Strapi Content-Type Builder — możliwe RCE i odczyt plików

CVE-2026-27886CRITICAL9.2PL ✓ten sam produkt

Strapi: Path Traversal w filtrach relacyjnych umożliwia przejęcie konta admina

CVE-2022-27263CRITICAL9.8ten sam produkt

An arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 allows attackers to execute ...

CVE-2020-27664CRITICAL9.8ten sam produkt

admin/src/containers/InputModalStepperProvider/index.js in Strapi before 3.2.5 has unwanted /proxy?url= functi...

CVE-2019-18818CRITICAL9.8ten sam produkt

strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and ...