Payload CMS Blind SQL Injection Vulnerability in JSON and RichText Fields

A blind SQL injection vulnerability has been identified in Payload CMS versions prior to 3.73.0, specifically within the JSON and richText fields. This issue arises because user input was directly inserted into SQL queries without proper escaping, allowing for exploitation. An unauthenticated attacker could leverage this vulnerability to extract sensitive information such as emails and password reset tokens, potentially leading to full account takeover without the need to crack passwords. The vulnerability affects users utilizing a Drizzle-based database adapter with accessible collections containing vulnerable field types.

Impact

Exploitation of this vulnerability allows for blind SQL injection, enabling an attacker to manipulate SQL queries and potentially access or modify database information. In this case, it could lead to extraction of sensitive data and unauthorized account access.

Remediation

Users are advised to upgrade to Payload CMS version 3.73.0 or later. If an immediate upgrade is not possible, as a temporary mitigation, add 'access: { read: () => false }' to all JSON and richText fields.