Moderate severityNVD Advisory· Published Dec 5, 2024· Updated Dec 6, 2024
Directus has an HTML Injection in Comment
CVE-2024-54128
Description
Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection. This vulerability is fixed in 10.13.4 and 11.2.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@directus/appnpm | >= 11.0.0, < 13.3.1 | 13.3.1 |
directusnpm | >= 10.10.0, < 10.13.4 | 10.13.4 |
directusnpm | >= 11.0.0-rc.1, < 11.2.2 | 11.2.2 |
Affected products
3- ghsa-coords2 versions
>= 11.0.0, < 13.3.1+ 1 more
- (no CPE)range: >= 11.0.0, < 13.3.1
- (no CPE)range: >= 10.10.0, < 10.13.4
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-r6wx-627v-gh2fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-54128ghsaADVISORY
- github.com/directus/directus/commit/4487fb18d5cb09e071b111d2dc0c9d6bcb437633ghsaWEB
- github.com/directus/directus/commit/c89dbb233fbad2fd0cf41eb99d50c6de4e84195dghsaWEB
- github.com/directus/directus/security/advisories/GHSA-r6wx-627v-gh2fghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.