CVE-2023-34093: 
JavaScript vulnerability analysis and mitigation

CVE-2023-34093 affects Strapi, an open-source headless content management system, in versions prior to 4.10.8. The vulnerability allows anyone (developers, users, plugins) to inadvertently make every attribute of a Content-Type public without knowing it. This security issue was discovered and patched in version 4.10.8, released on June 7, 2023 (Strapi Release, GitHub Advisory).

The vulnerability stems from the content-type handling mechanism where extending content types using the container API could remove the privateAttributes getter. This occurs when users extend content types at runtime using strapi.container.get('content-types').extend(). The CVSS v3.1 score is 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N, though NVD rates it as 7.1 (High) (NVD).

The vulnerability can lead to sensitive information exposure, including password hashes, potentially allowing attackers to take control of the entire system. The impact varies depending on how users are implementing and extending content-types. If users are directly mutating the content-type, they are not affected (GitHub Advisory).

The primary mitigation is to upgrade to Strapi version 4.10.8 or later, which contains the patch for this vulnerability. This affects multiple Strapi packages including @strapi/strapi, @strapi/database, and @strapi/utils (FortiGuard).