CVE-2023-30843 Payload's hidden fields can be leaked on readable collections

2023-04-2620:32:54

CWE-200

GitHub_M

www.cve.org

payload

headless cms

version 1.7.0

security patch

beforeoperation hook

hidden fields

data leak

brute force

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

35.2%

JSON

Payload is a free and open source headless content management system. In versions prior to 1.7.0, if a user has access to documents that contain hidden fields or fields they do not have access to, the user could reverse-engineer those values via brute force. Version 1.7.0 contains a patch. As a workaround, write a beforeOperation hook to remove where queries that attempt to access hidden field data.

CNA Affected

[
  {
    "vendor": "payloadcms",
    "product": "payload",
    "versions": [
      {
        "version": "< 1.7.0",
        "status": "affected"
      }
    ]
  }
]