You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If a user has access to documents that contain hidden fields or fields they do not have access to, the user could reverse-engineer those values via brute force.
Affected versions: < 1.7.0
Workarounds
If you are unable to update, you can write a beforeOperation hook to remove where queries that attempt to access hidden field data.
Detecting Compromise
Monitor your instance for brute-force style requests against your instance using where queries.
Details
If a user has access to documents that contain hidden fields or fields they do not have access to, the user could reverse-engineer those values via brute force.
Affected versions: < 1.7.0
Workarounds
If you are unable to update, you can write a
beforeOperationhook to removewherequeries that attempt to access hidden field data.Detecting Compromise
Monitor your instance for brute-force style requests against your instance using
wherequeries.References
https://github.com/payloadcms/payload/releases
https://github.com/payloadcms/payload/releases/tag/v1.7.0