Security Disclosure of Vulnerabilities: CVE-2023-34235 and CVE-2023-34093

Strapi has addressed two security vulnerabilities that affected its platform, with patches implemented following responsible disclosure protocols. The first vulnerability allowed unauthorized access to private field data through SQL join syntax, which has been resolved by limiting request sanitization to permitted attributes. This complex issue did not appear to be exploited before disclosure. The second vulnerability involved Strapi Enterprise and Cloud customers who use bootstrap functions to customize content types, inadvertently making all attributes public due to the removal of sanitization getters. Strapi advises users to review their application logs and code for potential issues and has released patches in versions v4.10.8 and later. The disclosure process included a mandatory waiting period to allow users the opportunity to upgrade their systems before the vulnerabilities were publicly detailed, ensuring responsible management of security information. Strapi thanks both community members and internal team members for their contributions to identifying and addressing these vulnerabilities and encourages further collaboration through responsible disclosure.