Product
Strapi versions prior to 5.37.0 are vulnerable to an unauthenticated boolean-oracle attack against private fields on the joined `admin_users` table, including the `resetPasswordToken` field, via the 'where' query parameter on publicly accessible content-types; extracting an admin reset token via this oracle makes full administrative account takeover possible without authentication.