CVE-2023-30843

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-30843

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-30843.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-30843

Aliases

GHSA-35jj-vqcf-f2jf

Published

2023-04-26T20:32:54.545Z

Modified

2026-05-01T04:19:00.172889Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Payload's hidden fields can be leaked on readable collections

Details

Payload is a free and open source headless content management system. In versions prior to 1.7.0, if a user has access to documents that contain hidden fields or fields they do not have access to, the user could reverse-engineer those values via brute force. Version 1.7.0 contains a patch. As a workaround, write a beforeOperation hook to remove where queries that attempt to access hidden field data.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/30xxx/CVE-2023-30843.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "fixed": "1.7.0"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cwe_ids": [
        "CWE-200"
    ]
}

References

Affected packages

Git / github.com/payloadcms/payload

Affected ranges

Type

GIT

Repo

https://github.com/payloadcms/payload

Events

Introduced

Fixed

a4fd0df69c944a13eec6221f0779ee40bf47cf61

Database specific

{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.7.0"
        }
    ],
    "cpe": "cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*",
    "source": [
        "CPE_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v0.*

v0.0.10

v0.0.101

v0.0.102

v0.0.103

v0.0.104

v0.0.105

v0.0.106

v0.0.107

v0.0.108

v0.0.109

v0.0.11

v0.0.110

v0.0.111

v0.0.112

v0.0.113

v0.0.114

v0.0.115

v0.0.116

v0.0.117

v0.0.118

v0.0.119

v0.0.12

v0.0.120

v0.0.121

v0.0.122

v0.0.123

v0.0.124

v0.0.125

v0.0.126

v0.0.128

v0.0.129

v0.0.13

v0.0.130

v0.0.131

v0.0.132

v0.0.133

v0.0.134

v0.0.135

v0.0.136

v0.0.137

v0.0.138

v0.0.139

v0.0.14

v0.0.140

v0.0.141

v0.0.15

v0.0.16

v0.0.17

v0.0.18

v0.0.19

v0.0.2

v0.0.20

v0.0.21

v0.0.22

v0.0.24

v0.0.26

v0.0.27

v0.0.28

v0.0.29

v0.0.3

v0.0.30

v0.0.31

v0.0.32

v0.0.33

v0.0.34

v0.0.35

v0.0.36

v0.0.37

v0.0.38

v0.0.39

v0.0.4

v0.0.40

v0.0.41

v0.0.42

v0.0.43

v0.0.44

v0.0.45

v0.0.46

v0.0.47

v0.0.48

v0.0.49

v0.0.5

v0.0.50

v0.0.51

v0.0.52

v0.0.53

v0.0.54

v0.0.55

v0.0.56

v0.0.57

v0.0.58

v0.0.59

v0.0.6

v0.0.60

v0.0.61

v0.0.62

v0.0.63

v0.0.64

v0.0.65

v0.0.66

v0.0.67

v0.0.68

v0.0.69

v0.0.7

v0.0.70

v0.0.71

v0.0.72

v0.0.73

v0.0.74

v0.0.75

v0.0.76

v0.0.77

v0.0.78

v0.0.79

v0.0.8

v0.0.80

v0.0.81

v0.0.82

v0.0.83

v0.0.84

v0.0.85

v0.0.86

v0.0.87

v0.0.88

v0.0.89

v0.0.9

v0.0.90

v0.0.91

v0.0.92

v0.0.93

v0.0.94

v0.0.95

v0.0.96

v0.0.97

v0.0.98

v0.0.99

v0.1.121

v0.1.122

v0.1.123

v0.1.124

v0.1.125

v0.1.126

v0.1.127

v0.1.138

v0.1.139

v0.1.140

v0.1.141

v0.1.142

v0.1.143

v0.1.144

v0.1.145

v0.1.146

v0.1.16

v0.1.17

v0.1.18

v0.1.19

v0.1.20

v0.10.10

v0.10.11

v0.10.7

v0.11.0

v0.12.0

v0.12.1

v0.12.2

v0.12.3

v0.13.0

v0.13.1

v0.13.2

v0.13.3

v0.13.4

v0.13.5

v0.13.6

v0.14.0

v0.15.0

v0.15.1

v0.15.10

v0.15.11

v0.15.12

v0.15.13

v0.15.2

v0.15.3

v0.15.4

v0.15.5

v0.15.6

v0.15.7

v0.15.8

v0.15.9

v0.16.1

v0.16.2

v0.16.3

v0.16.4

v0.17.0

v0.17.1

v0.17.2

v0.17.3

v0.18.0

v0.18.1

v0.18.2

v0.18.3

v0.18.4

v0.18.5

v0.19.2

v0.2.0

v0.2.10

v0.2.11

v0.2.12

v0.2.13

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.2.6

v0.2.8

v0.2.9

v0.20.1

v0.3.0

v0.5.10

v0.5.7

v0.5.8

v0.5.9

v0.6.0

v0.6.1

v0.6.10

v0.6.2

v0.6.3

v0.6.4

v0.6.5

v0.6.6

v0.6.7

v0.6.8

v0.6.9

v0.7.2

v0.7.3

v0.7.4

v0.7.5

v0.7.6

v1.*

v1.0.10

v1.0.12

v1.0.13

v1.0.14

v1.0.15

v1.0.16

v1.0.17

v1.0.18

v1.0.19

v1.0.20

v1.0.21

v1.0.22

v1.0.23

v1.0.24

v1.0.25

v1.0.26

v1.0.27

v1.0.28

v1.0.29

v1.0.30

v1.0.33

v1.0.34

v1.0.35

v1.0.36

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.0.9

v1.1.10

v1.1.11

v1.1.13

v1.1.14

v1.1.15

v1.1.16

v1.1.17

v1.1.18

v1.1.19

v1.1.20

v1.1.21

v1.1.22

v1.1.23

v1.1.24

v1.1.25

v1.1.26

v1.1.4

v1.1.5

v1.1.6

v1.1.7

v1.1.8

v1.1.9

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.2.4

v1.2.5

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.4.0

v1.4.1

v1.4.2

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.5.6

v1.5.7

v1.5.8

v1.5.9

v1.6.1

v1.6.10

v1.6.11

v1.6.12

v1.6.13

v1.6.14

v1.6.15

v1.6.17

v1.6.18

v1.6.19

v1.6.2

v1.6.20

v1.6.21

v1.6.22

v1.6.23

v1.6.24

v1.6.25

v1.6.26

v1.6.27

v1.6.28

v1.6.29

v1.6.3

v1.6.30

v1.6.31

v1.6.32

v1.6.4

v1.6.5

v1.6.6

v1.6.7

v1.6.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-30843.json"