⚠️ Security Warning and Notice ⚠️
Strapi was made aware of two vulnerabilities that were patched in this release, for now we are going to delay the detailed disclosure of the exact details on how to exploit it and how it was patched to give time for users to upgrade before we do public disclosure.
For now the delay timeline looks like we will release the detailed information in the next four (4) weeks, we expect to do public disclosure (via a blog post) on Monday July 25th, 2023.
The vulnerabilities are 1 high and 1 medium and both have a very low/basically zero probability of being used in the wild as it requires very specific knowledge of how these work.
🚨 Security
- [core:strapi] Remove getter for private attributes (https://github.com/strapi/strapi-ghsa-chmr-rg2f-9jmf/pull/2) @nathan-pichon
- [core:utils] Improve sanitization in sanitizeQuery and convertQueryParams (https://github.com/strapi/strapi-ghsa-9xg4-3qfm-9w8f/pull/3) @innerdvations