Strapi Release: 3.6.8

TL;DR

Strapi v3.6.8 is a minor update focusing on security and UI improvements. It fixes a critical security vulnerability where blocked users could bypass restrictions using the forgot password feature, and includes UI enhancements like updated social links and grammar corrections. This release is important for all Strapi users to maintain security and improve the admin interface experience.

Highlight of the Release

• Fixed security vulnerability in the forgot password feature
• Updated social links on the landing page
• Grammar corrections in admin interface

Migration Guide

No specific migration steps are required for this update. This is a minor release that can be installed by updating your Strapi version to v3.6.8.

For general migration guidance, refer to the Strapi Migration Guides.

Upgrade Recommendations

This update is highly recommended for all Strapi users due to the security fix addressing the authentication vulnerability in the users-permissions plugin.

To upgrade:

npm install [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

Or if using Yarn:

yarn upgrade [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

Bug Fixes

Fixed Authentication Security Vulnerability

A critical security issue has been fixed where blocked users were previously able to sign in using the forgot password feature. This vulnerability allowed users whose accounts had been blocked to bypass these restrictions and gain access to the system. The fix ensures that the forgot password functionality properly respects user account status.

PR: #10787

New Features

No significant new features were added in this release. This update primarily focuses on security fixes and minor UI enhancements.

Security Updates

Users-Permissions Authentication Fix

This release addresses an important security vulnerability in the users-permissions plugin. Previously, users with blocked accounts could circumvent this restriction by using the forgot password feature, allowing them to regain access to the system despite being blocked. This security issue has been resolved by ensuring that the forgot password functionality properly checks the user's blocked status before processing password reset requests.

PR: #10787

Performance Improvements

No specific performance improvements were included in this release.

Impact Summary

This release primarily impacts the security of Strapi installations by fixing a vulnerability in the authentication system. The fix ensures that blocked users cannot bypass restrictions using the forgot password feature, which is crucial for maintaining proper access control.

The UI enhancements, while minor, improve the overall user experience with updated social links on the landing page and grammar corrections in the admin interface.

This update is particularly important for installations that rely on the users-permissions plugin for authentication and have blocked users in their system. The security fix ensures that account blocking functions as intended, maintaining the integrity of your user access controls.

Full Release Notes