CVE-2023-22894: 
JavaScript vulnerability analysis and mitigation

Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The vulnerability (CVE-2023-22894) enables attackers to filter users by columns containing sensitive information and infer values from API responses. If the attacker has super admin access, they can exploit this to discover password hashes and password reset tokens of all users. For accounts with lower privileges (e.g., Editor or Author), the vulnerability allows discovery of sensitive information for API users but not other admin accounts (Strapi Blog, NVD).

The vulnerability is identified as CWE-312 (Cleartext Storage of Sensitive Information) and affects Strapi versions >=3.2.1 and <4.8.0. The issue lies in the query filter functionality that allows authenticated users to access sensitive columns in the database through API responses. The vulnerability can be exploited by filtering users by columns that contain sensitive information, including password hashes and reset tokens (FortiGuard).

The impact varies based on the attacker's access level. With super admin access, attackers can obtain password hashes and password reset tokens for all users. With lower-privileged admin panel access (Editor/Author), attackers can discover sensitive information for API users, though not for other admin accounts. This vulnerability could lead to unauthorized access to user accounts and potential system compromise (Strapi Blog).

The primary mitigation is to update Strapi to version 4.8.0 or later. For users running Strapi 3.x.x, an immediate update to a patched 4.x.x version is critical, as version 3.x.x reached end-of-life support on December 31st, 2022, and will not receive security updates (Strapi Blog).