VYPR

Directus

by Monospace

npm: directus

Source repositories

CVEs (67)

  • CVE-2024-36128Jun 3, 2024
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This…

  • CVE-2024-34709May 13, 2024
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The `directus_session` gets destroyed and the cookie gets deleted but if…

  • CVE-2024-34708May 13, 2024
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the `alias` functionality on the API. Normally, these redacted fields will…

  • CVE-2024-28238Mar 12, 2024
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. When reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places (e.g., web server logs, browser…

  • CVE-2024-28239Mar 12, 2024
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. The authentication API has a `redirect` parameter that can be exploited as an open redirect vulnerability as the user tries to log in via the API URL. There's a redirect that is done after…

  • CVE-2024-27296Mar 1, 2024
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 10.8.3, the exact Directus version number was being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can…

  • CVE-2024-27295Mar 1, 2024
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. The password reset mechanism of the Directus backend allows attackers to receive a password reset email of a victim user, specifically having it arrive at a similar email address as the victim with…

  • CVE-2023-45820Oct 19, 2023
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. In affected versions any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. A malicious user could leverage this bug to crash…

  • CVE-2023-38503Jul 25, 2023
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters (i.e. `user_created IS $CURRENT_USER`) are not properly checked when using GraphQL subscription resulting in…

  • CVE-2020-19850Apr 4, 2023
    risk 0.00cvss epss 0.01

    An issue found in Directus API v.2.2.0 allows a remote attacker to cause a denial of service via a great amount of HTTP requests.

  • CVE-2023-28443Mar 23, 2023
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version…

  • CVE-2023-27481Mar 7, 2023
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute forcing the export functionality combined with a…

  • CVE-2023-27474Mar 6, 2023
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. An attacker could exploit this to email users urls to…

  • CVE-2023-26492Mar 3, 2023
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a…

  • CVE-2022-26969Dec 26, 2022
    risk 0.00cvss epss 0.01

    In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.

  • CVE-2022-36031Aug 19, 2022
    risk 0.00cvss epss 0.01

    Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the `filename_disk` value to a folder and accessing that file through the `/assets` endpoint. This vulnerability has been…

  • CVE-2022-23080Jun 22, 2022
    risk 0.00cvss epss 0.01

    In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery (SSRF) in the media upload functionality which allows a low privileged user to perform internal network port scans.

  • CVE-2022-24814Apr 4, 2022
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript (JS) can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS…

  • CVE-2022-22117Jan 10, 2022
    risk 0.00cvss epss 0.01

    In Directus, versions 9.0.0-alpha.4 through 9.4.1 allow unrestricted file upload of .html files in the media upload functionality, which leads to Cross-Site Scripting vulnerability. A low privileged attacker can upload a crafted HTML file as a profile avatar, and when an admin…

  • CVE-2022-22116Jan 10, 2022
    risk 0.00cvss epss 0.01

    In Directus, versions 9.0.0-alpha.4 through 9.4.1 are vulnerable to stored Cross-Site Scripting (XSS) vulnerability via SVG file upload in media upload functionality. A low privileged attacker can inject arbitrary javascript code which will be executed in a victim’s browser…