CVE-2023-37263: 
JavaScript vulnerability analysis and mitigation

Strapi, an open-source headless content management system, disclosed a vulnerability (CVE-2023-37263) affecting versions prior to 4.12.1. The vulnerability relates to field level permissions not being properly respected in relationship titles, where fields that should be restricted based on user permissions remain visible (GitHub Advisory).

The vulnerability stems from a lack of proper Role-Based Access Control (RBAC) checks on relationship endpoints. When a relationship title is configured to display a field that should be restricted based on user permissions, the field remains visible to users who shouldn't have access to it. The vulnerability has been assigned a CVSS v3.1 base score of 2.7 (LOW) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N, indicating a network-accessible vulnerability requiring high privileges with low impact (NVD).

The vulnerability results in the exposure of data through RBAC field level check failures. Users with restricted permissions could potentially view sensitive fields that were selected by admin users as relationship titles, despite not having the proper authorization to access such information (GitHub Advisory).

The vulnerability has been patched in Strapi version 4.12.1. Users are advised to upgrade to this version or later to address the security issue (GitHub Release).