@strapi/strapi is vulnerable to Information Disclosure. An unauthenticated attacker can filter users by columns that contain sensitive information and infer the values by the changes in the API responses, which leads to hijacking Strapi administrator accounts and gaining unauthorized Strapi Super Administrator access by leaking the password reset token and changing the admin password.