CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
35.0%
If a user has access to documents that contain hidden fields or fields they do not have access to, the user could reverse-engineer those values via brute force.
Affected versions: < 1.7.0
If you are unable to update, you can write a beforeOperation
hook to remove where
queries that attempt to access hidden field data.
Monitor your instance for brute-force style requests against your instance using where
queries.