{"vulnerability": "cve-2023-36472", "sightings": [{"uuid": "8b785725-9269-4720-935b-e82301371b06", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-36472", "type": "seen", "source": "https://t.me/cibsecurity/70609", "content": "\u203c CVE-2023-36472 \u203c\n\nStrapi is the an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The `/content-manager/relations` route does not remove private fields or ensure that they can't be selected. This issue is fixed in version 4.11.7.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-15T22:25:41.000000Z"}, {"uuid": "c713fd25-ca08-4350-8adf-50538e4a0d45", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2023-36472", "type": "published-proof-of-concept", "source": "https://github.com/strapi/strapi/security/advisories/GHSA-v8gg-4mq2-88q4", "content": "", "creation_timestamp": "2023-09-13T15:15:10.000000Z"}]}