Payload SQL Injection Vulnerability Allowing Data Exposure or Modification

A SQL injection vulnerability has been identified in Payload CMS versions prior to 3.79.1. This issue arises from improper validation of certain request inputs, allowing attackers to craft requests that manipulate SQL query execution. As a result, there is a potential risk of exposing or modifying data within collections.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access or manipulation.

Remediation

Users are advised to upgrade to Payload CMS version 3.79.1 or later, where this vulnerability has been patched. Query input validation has been improved in this version. Until an upgrade can be performed, it is recommended to limit access to endpoints that accept dynamic query inputs to trusted users only and to validate or sanitize input from untrusted clients before sending it to query endpoints.