Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking. This vulnerability is fixed in 3.73.0.
User input in queries concerning JSON or richText fields was directly embedded in SQL queries without proper sanitization (escaping). This allows for a blind SQL injection attack — an attacker can ask the database questions and based on differences in responses, read the database contents. In this way, it is possible to extract sensitive data such as email addresses and password reset tokens, which enables account takeover without the need to crack passwords.
An attacker without any authentication can extract sensitive data from the database (including email addresses and password reset tokens) and take full control of any user account, including administrator accounts.
Payload CMS must be immediately updated to version 3.73.0 or newer, in which the vulnerability has been fixed. Details are available in the vendor references: https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8
Payload CMS (open source headless CMS) — all versions before 3.73.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPayloadcms Payload
APPPayloadcms< 3.73.0
Related vulnerabilities
Payload CMS: ominięcie uwierzytelnienia przez podatny przepływ resetowania hasła
An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to exe...
Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request...
Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/n...
Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticate...