npm package
directus
pkg:npm/directus
Vulnerabilities (53)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-27296 | — | < 10.8.3 | 10.8.3 | Mar 1, 2024 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 10.8.3, the exact Directus version number was being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can trivial | ||
| CVE-2024-27295 | — | < 10.8.3 | 10.8.3 | Mar 1, 2024 | Directus is a real-time API and App dashboard for managing SQL database content. The password reset mechanism of the Directus backend allows attackers to receive a password reset email of a victim user, specifically having it arrive at a similar email address as the victim with a | ||
| CVE-2023-45820 | — | >= 10.4.0, < 10.6.2 | 10.6.2 | Oct 19, 2023 | Directus is a real-time API and App dashboard for managing SQL database content. In affected versions any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. A malicious user could leverage this bug to crash Directus | ||
| CVE-2023-38503 | — | >= 10.3.0, < 10.5.0 | 10.5.0 | Jul 25, 2023 | Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters (i.e. `user_created IS $CURRENT_USER`) are not properly checked when using GraphQL subscription resulting in unauthorize | ||
| CVE-2020-19850 | — | >= 2.2.0, < 2.2.1 | 2.2.1 | Apr 4, 2023 | An issue found in Directus API v.2.2.0 allows a remote attacker to cause a denial of service via a great amount of HTTP requests. | ||
| CVE-2023-28443 | — | < 9.23.3 | 9.23.3 | Mar 23, 2023 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.2 | ||
| CVE-2023-27481 | — | < 9.16.0 | 9.16.0 | Mar 7, 2023 | Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute forcing the export functionality combined with a `_start | ||
| CVE-2023-27474 | — | < 9.23.0 | 9.23.0 | Mar 6, 2023 | Directus is a real-time API and App dashboard for managing SQL database content. Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. An attacker could exploit this to email users urls to t | ||
| CVE-2023-26492 | — | < 9.23.0 | 9.23.0 | Mar 3, 2023 | Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS | ||
| CVE-2022-26969 | — | < 9.7.0 | 9.7.0 | Dec 26, 2022 | In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. | ||
| CVE-2022-36031 | — | < 9.15.0 | 9.15.0 | Aug 19, 2022 | Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the `filename_disk` value to a folder and accessing that file through the `/assets` endpoint. This vulnerability has been patc | ||
| CVE-2022-23080 | — | >= 9.0.0-beta.2, < 9.7.0 | 9.7.0 | Jun 22, 2022 | In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery (SSRF) in the media upload functionality which allows a low privileged user to perform internal network port scans. | ||
| CVE-2022-24814 | — | < 9.7.0 | 9.7.0 | Apr 4, 2022 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript (JS) can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS fi |
- CVE-2024-27296Mar 1, 2024affected < 10.8.3fixed 10.8.3
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 10.8.3, the exact Directus version number was being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can trivial
- CVE-2024-27295Mar 1, 2024affected < 10.8.3fixed 10.8.3
Directus is a real-time API and App dashboard for managing SQL database content. The password reset mechanism of the Directus backend allows attackers to receive a password reset email of a victim user, specifically having it arrive at a similar email address as the victim with a
- CVE-2023-45820Oct 19, 2023affected >= 10.4.0, < 10.6.2fixed 10.6.2
Directus is a real-time API and App dashboard for managing SQL database content. In affected versions any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. A malicious user could leverage this bug to crash Directus
- CVE-2023-38503Jul 25, 2023affected >= 10.3.0, < 10.5.0fixed 10.5.0
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters (i.e. `user_created IS $CURRENT_USER`) are not properly checked when using GraphQL subscription resulting in unauthorize
- CVE-2020-19850Apr 4, 2023affected >= 2.2.0, < 2.2.1fixed 2.2.1
An issue found in Directus API v.2.2.0 allows a remote attacker to cause a denial of service via a great amount of HTTP requests.
- CVE-2023-28443Mar 23, 2023affected < 9.23.3fixed 9.23.3
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.2
- CVE-2023-27481Mar 7, 2023affected < 9.16.0fixed 9.16.0
Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute forcing the export functionality combined with a `_start
- CVE-2023-27474Mar 6, 2023affected < 9.23.0fixed 9.23.0
Directus is a real-time API and App dashboard for managing SQL database content. Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. An attacker could exploit this to email users urls to t
- CVE-2023-26492Mar 3, 2023affected < 9.23.0fixed 9.23.0
Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS
- CVE-2022-26969Dec 26, 2022affected < 9.7.0fixed 9.7.0
In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.
- CVE-2022-36031Aug 19, 2022affected < 9.15.0fixed 9.15.0
Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the `filename_disk` value to a folder and accessing that file through the `/assets` endpoint. This vulnerability has been patc
- CVE-2022-23080Jun 22, 2022affected >= 9.0.0-beta.2, < 9.7.0fixed 9.7.0
In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery (SSRF) in the media upload functionality which allows a low privileged user to perform internal network port scans.
- CVE-2022-24814Apr 4, 2022affected < 9.7.0fixed 9.7.0
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript (JS) can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS fi
Page 3 of 3