Description
In Strapi before 3.2.5, there is no admin::hasPermissions restriction for CTB (aka content-type-builder) routes.
Remediation
References
https://github.com/strapi/strapi/pull/8439
https://github.com/strapi/strapi/releases/tag/v3.2.5
Related Vulnerabilities
CVE-2022-27260 Vulnerability in npm package buttercms
CVE-2021-20293 Vulnerability in maven package org.jboss.resteasy:resteasy-core
CVE-2022-21653 Vulnerability in maven package org.typelevel:jawn-parser_3
CVE-2022-0084 Vulnerability in maven package org.jboss.xnio:xnio-api
CVE-2019-10247 Vulnerability in maven package org.eclipse.jetty:jetty-server