CVE-2023-34235: 
JavaScript vulnerability analysis and mitigation

Strapi, an open-source headless content management system, disclosed a vulnerability (CVE-2023-34235) prior to version 4.10.8. The vulnerability was discovered and patched in June 2023, affecting all versions before 4.10.8. The issue allowed potential leakage of private fields through the manipulation of table prefixes in database queries (NVD, GitHub Release).

The vulnerability stems from improper handling of table prefixes in Knex queries. When using the t(number) prefix, attackers could manipulate queries to bypass filtering protections. For example, while password field was protected, t1.password could bypass these protections. This occurred because the query would change from filtering on password to filtering on t1.password, which wasn't properly secured by the filtering mechanisms (GitHub Advisory). The vulnerability received a CVSS v3.1 base score of 7.5 HIGH (NVD).

The vulnerability could lead to unauthorized access to sensitive information, including admin passwords and reset tokens. By exploiting this issue, attackers could perform filtering attacks on any object related to the database, potentially exposing private user information and sensitive system data (GitHub Advisory).

The vulnerability was patched in Strapi version 4.10.8. The fix included removing the getter for private attributes and improving sanitization in sanitizeQuery and convertQueryParams functions. Users are strongly advised to upgrade to version 4.10.8 or later to receive the security patch (GitHub Release).

The initial disclosure was handled carefully, with Strapi delaying the detailed public disclosure for four weeks after the patch release to give users time to upgrade. The vulnerability was classified as high severity but noted to have a very low probability of exploitation in the wild (GitHub Release).