Payload CMS Cross-Site Request Forgery Vulnerability in Authentication Flow

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Payload CMS versions prior to 3.79.1. This vulnerability allows for the bypassing of CSRF protection under certain conditions, enabling cross-site requests to be made during the authentication process. The issue arises when the 'serverURL' is configured, creating a potential risk for applications using affected versions of Payload CMS.

Impact

Exploitation of this vulnerability could lead to unauthorized cross-site requests being made, potentially allowing for actions to be performed on behalf of the user without their consent.

Remediation

Users are advised to upgrade to Payload CMS version 3.79.1 or later, where this vulnerability has been patched. If an immediate upgrade is not possible, setting 'cookies.sameSite' to 'Strict' can help prevent the session cookie from being sent cross-site, although this will require users to re-authenticate when following external links.