CVE-2023-36472: 
JavaScript vulnerability analysis and mitigation

Strapi, an open-source headless content management system, disclosed a security vulnerability (CVE-2023-36472) affecting versions prior to 4.11.7. The vulnerability was discovered where unauthorized actors with configure view permissions could access user reset password tokens. The issue was identified in the /content-manager/relations route, which failed to properly remove private fields or ensure they couldn't be selected (GitHub Advisory).

The vulnerability exists in the content manager's relation handling mechanism. Specifically, the /content-manager/relations route had a security flaw where it did not properly sanitize private fields or implement adequate access controls. The vulnerability has been assigned a CVSS v3.1 base score of 5.8 (Medium), with the following vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N. This indicates network vector attack capability with high complexity, requiring low privileges and user interaction (GitHub Advisory, NVD).

The vulnerability allows non-admin users with configure view permissions to access reset password tokens of admin user accounts. This access could potentially be used for privilege escalation, as an attacker could reset an admin user's password using the obtained token (GitHub Advisory).

The vulnerability has been patched in Strapi version 4.11.7. Users are strongly advised to upgrade to this version or later to address the security issue. The fix ensures proper handling of private fields in the content-manager relations route (GitHub Release).

The release of version 4.11.7 received positive community engagement, with multiple GitHub users showing support through reactions. The release garnered 15 celebratory reactions, 8 rocket reactions, and 6 heart reactions, indicating strong community approval of the security fix (GitHub Release).