Lucene search

[email protected]NVD:CVE-2023-30843

HistoryApr 26, 2023 - 9:15 p.m.

CVE-2023-30843

2023-04-2621:15:09

CWE-200

[email protected]

web.nvd.nist.gov

payload

content management system

reverse-engineering

beforeoperation hook

hidden field data

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

35.0%

JSON

Payload is a free and open source headless content management system. In versions prior to 1.7.0, if a user has access to documents that contain hidden fields or fields they do not have access to, the user could reverse-engineer those values via brute force. Version 1.7.0 contains a patch. As a workaround, write a beforeOperation hook to remove where queries that attempt to access hidden field data.

Affected configurations

Nvd

Node

payloadcmspayloadRange<1.7.0node.js

VendorProductVersionCPE
payloadcmspayload*cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
payloadcms	payload	*	cpe:2.3:a:payloadcms:payload::::::node.js::*

References

github.com/payloadcms/payload/releases/tag/v1.7.0

github.com/payloadcms/payload/security/advisories/GHSA-35jj-vqcf-f2jf

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

35.0%

JSON

Related for NVD:CVE-2023-30843

cve1 cvelist1 osv2 veracode1 prion1 github1