Moderate severityNVD Advisory· Published Dec 5, 2024· Updated Dec 6, 2024
Directus has an HTML Injection in Comment
CVE-2024-54128
Description
Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection. This vulerability is fixed in 10.13.4 and 11.2.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@directus/appnpm | >= 11.0.0, < 13.3.1 | 13.3.1 |
directusnpm | >= 10.10.0, < 10.13.4 | 10.13.4 |
directusnpm | >= 11.0.0-rc.1, < 11.2.2 | 11.2.2 |
Affected products
1Patches
21 file changed · +4 −4
app/src/views/private/components/comments-sidebar-detail.vue+4 −4 modified@@ -5,6 +5,7 @@ import { localizedFormat } from '@/utils/localized-format'; import { userName } from '@/utils/user-name'; import type { PrimaryKey, User } from '@directus/types'; import { abbreviateNumber } from '@directus/utils'; +import dompurify from 'dompurify'; import { isThisYear, isToday, isYesterday } from 'date-fns'; import { flatten, groupBy, orderBy } from 'lodash'; import { Ref, onMounted, ref, toRefs, watch } from 'vue'; @@ -91,10 +92,9 @@ function useActivity(collection: Ref<string>, primaryKey: Ref<PrimaryKey>) { userPreviews.value = await loadUserPreviews(response.data.data, regex); const activityWithUsersInComments = (response.data.data as Activity[]).map((comment) => { - const display = (comment.comment as string).replace( - regex, - (match) => `<mark>${userPreviews.value[match.substring(2)]}</mark>`, - ); + const display = dompurify + .sanitize(comment.comment as string, { ALLOWED_TAGS: [] }) + .replace(regex, (match) => `<mark>${userPreviews.value[match.substring(2)]}</mark>`); return { ...comment,
1 file changed · +4 −4
app/src/views/private/components/comments-sidebar-detail.vue+4 −4 modified@@ -9,6 +9,7 @@ import { isThisYear, isToday, isYesterday } from 'date-fns'; import { flatten, groupBy, orderBy } from 'lodash'; import { Ref, computed, onMounted, ref, toRefs, watch } from 'vue'; import { useI18n } from 'vue-i18n'; +import dompurify from 'dompurify'; import CommentInput from './comment-input.vue'; import CommentItem from './comment-item.vue'; @@ -100,10 +101,9 @@ function useComments(collection: Ref<string>, primaryKey: Ref<PrimaryKey>) { userPreviews.value = await loadUserPreviews(response, regex); const commentsWithTaggedUsers = (response as Comment[]).map((comment) => { - const display = (comment.comment as string).replace( - regex, - (match) => `<mark>${userPreviews.value[match.substring(2)]}</mark>`, - ); + const display = dompurify + .sanitize(comment.comment as string, { ALLOWED_TAGS: [] }) + .replace(regex, (match) => `<mark>${userPreviews.value[match.substring(2)]}</mark>`); return { ...comment,
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-r6wx-627v-gh2fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-54128ghsaADVISORY
- github.com/directus/directus/commit/4487fb18d5cb09e071b111d2dc0c9d6bcb437633ghsaWEB
- github.com/directus/directus/commit/c89dbb233fbad2fd0cf41eb99d50c6de4e84195dghsaWEB
- github.com/directus/directus/security/advisories/GHSA-r6wx-627v-gh2fghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.