CVE-2023-30843

Published: Apr 26, 2023Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Payload is a free and open source headless content management system. In versions prior to 1.7.0, if a user has access to documents that contain hidden fields or fields they do not have access to, the user could reverse-engineer those values via brute force. Version 1.7.0 contains a patch. As a workaround, write a `beforeOperation` hook to remove `where` queries that attempt to access hidden field data.

Affected (1)

Products: Payloadcms: Payload

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Payloadcms Payload	Before 1.7.0

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (4)

https://github.com/payloadcms/payload/releases/tag/v1.7.0

Source: security-advisories@github.com

Release Notes

https://github.com/payloadcms/payload/security/advisories/GHSA-35jj-vqcf-f2jf

Source: security-advisories@github.com

MitigationVendor Advisory

https://github.com/payloadcms/payload/releases/tag/v1.7.0

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/payloadcms/payload/security/advisories/GHSA-35jj-vqcf-f2jf

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationVendor Advisory

Timeline

No history available yet.