CVE-2023-30843: 
JavaScript vulnerability analysis and mitigation

Payload, a free and open source headless content management system, was found to contain a vulnerability (CVE-2023-30843) in versions prior to 1.7.0. The vulnerability allowed users with access to documents containing hidden fields or fields they do not have access to potentially reverse-engineer those values through brute force methods (GitHub Advisory).

The vulnerability received a CVSS v3.1 base score of 7.4 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N. The issue stems from the ability to access and potentially reverse-engineer hidden field values through brute force methods in documents where users have read access. The vulnerability is tracked as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

If exploited, the vulnerability could lead to unauthorized access to sensitive information stored in hidden fields within documents. This could result in the exposure of confidential data that was intended to be restricted from certain user access levels (GitHub Advisory).

The vulnerability has been patched in version 1.7.0 of Payload CMS. For users unable to update immediately, a workaround is available by implementing a beforeOperation hook to remove where queries that attempt to access hidden field data. Organizations should monitor their instances for brute-force style requests using where queries to detect potential compromise attempts (GitHub Advisory).