Executive Summary

This vulnerability exists in ApostropheCMS versions 4.28.0 and earlier, specifically in the getRestQuery method of the @apostrophecms/piece-type module. The method is supposed to apply an admin-configured publicApiProjection to restrict which fields are visible via the public API. However, if an unauthenticated attacker supplies a project query parameter in a REST API request, it is processed before the permission check, causing the publicApiProjection to be skipped. This allows the attacker to bypass authorization and access any field on publicly queryable documents that should have been restricted, such as internal notes, draft content, or metadata.

Exploitation is simple and requires no authentication; an attacker only needs to append specific query parameters to a public URL.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information that administrators intended to keep private. Attackers can access restricted fields such as internal notes, draft content, or metadata without any authentication.

Because exploitation is trivial and requires only appending query parameters to a public URL, it increases the risk of data leakage and exposure of confidential or sensitive content.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is fixed in ApostropheCMS version 4.29.0. The immediate step to mitigate this vulnerability is to upgrade your ApostropheCMS installation to version 4.29.0 or later.

Since exploitation is trivial and requires no authentication, applying the update promptly is critical to prevent unauthorized disclosure of restricted fields.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated attackers to bypass field-level access controls and disclose sensitive fields such as internal notes, draft content, or metadata that administrators explicitly restricted from the public API.

Such unauthorized disclosure of sensitive or restricted data can lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Because exploitation is trivial and requires no authentication, this vulnerability increases the risk of data breaches, potentially violating confidentiality requirements mandated by these regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring REST API requests to ApostropheCMS piece-type modules for the presence of the `project` query parameter in unauthenticated requests.

Specifically, an attacker exploits the vulnerability by appending query parameters like `?project[internalNotes]=1` to public API URLs, which causes unauthorized disclosure of restricted fields.

To detect exploitation attempts or verify if your system is vulnerable, you can search your web server or application logs for REST API requests containing the `project` query parameter targeting piece-type endpoints.

• Use command-line tools like `grep` or `awk` to filter logs for suspicious requests, for example:
• grep -i 'project\[' /path/to/access.log
• grep -E '\?project\[' /path/to/access.log
• Alternatively, use network monitoring tools or intrusion detection systems to alert on HTTP requests containing the `project` parameter in URLs to ApostropheCMS piece-type REST API endpoints.

Since exploitation requires no authentication and only involves appending query parameters, any such requests should be considered suspicious if your ApostropheCMS version is 4.28.0 or earlier and not patched.

Useful 0 Not Useful 0