@delmaredigital Payload Puck Unauthenticated Access Vulnerability in Puck-Registered Collections

A vulnerability in the @delmaredigital/payload-puck plugin for PayloadCMS, prior to version 0.6.23, allowed unauthenticated access to Puck-registered collections through the /api/puck/* CRUD endpoints. The issue arose because these endpoints bypassed collection-level access controls, enabling unauthorized users to perform various actions such as listing, reading, creating, updating, and deleting documents, including drafts. This vulnerability is particularly critical for the default 'pages' collection, where it could lead to unauthorized modifications of website content. The flaw has been addressed in version 0.6.23, which now enforces proper access controls on these endpoints.

Impact

Exploitation of this vulnerability allowed for unrestricted access to Puck-registered collections, enabling unauthorized users to manipulate collection documents without authentication. In typical installations, this included full access to the 'pages' collection, allowing attackers to read, modify, create, or delete any page, including unpublished drafts and version history.

Remediation

Users can upgrade to version 0.6.23 to address this vulnerability. For those unable to upgrade immediately, a reverse-proxy or middleware authentication check can be placed in front of the '/api/puck/*' endpoints to require an authenticated session before requests reach the plugin's handlers.