Directus
by Monospace
Source repositories
CVEs (67)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-26595 | 0.00 | — | 0.01 | Feb 23, 2021 | In Directus 8.x through 8.8.1, an attacker can learn sensitive information such as the version of the CMS, the PHP version used by the site, and the name of the DBMS, simply by view the result of the api-aa, called automatically upon a connection. NOTE: This vulnerability only… | |||
| CVE-2019-13979 | 0.00 | — | 0.03 | Jul 19, 2019 | In Directus 7 API before 2.2.1, uploading of PHP files is not blocked, leading to uploads/_/originals remote code execution. | |||
| CVE-2019-13980 | 0.00 | — | 0.02 | Jul 19, 2019 | In Directus 7 API through 2.3.0, uploading of PHP files is blocked only when the Apache HTTP Server is used, leading to uploads/_/originals remote code execution with nginx. | |||
| CVE-2019-13981 | 0.00 | — | 0.01 | Jul 19, 2019 | In Directus 7 API through 2.3.0, remote attackers can read image files via a direct request for a filename under the uploads/_/originals/ directory. This is related to a configuration option in which the file collection can be non-public, but this option does not apply to the… | |||
| CVE-2019-13982 | 0.00 | — | 0.01 | Jul 19, 2019 | interfaces/markdown/input.vue in Directus 7 Application before 7.7.0 does not sanitize Markdown text before rendering a preview. | |||
| CVE-2019-13983 | 0.00 | — | 0.01 | Jul 19, 2019 | Directus 7 API before 2.2.2 has insufficient anti-automation, as demonstrated by lack of a CAPTCHA in core/Directus/Services/AuthService.php and endpoints/Auth.php. | |||
| CVE-2019-13984 | 0.00 | — | 0.02 | Jul 19, 2019 | Directus 7 API before 2.3.0 does not validate uploaded files. Regardless of the file extension or MIME type, there is a direct link to each uploaded file, accessible by unauthenticated users, as demonstrated by the EICAR Anti-Virus Test File. |
- CVE-2021-26595Feb 23, 2021risk 0.00cvss —epss 0.01
In Directus 8.x through 8.8.1, an attacker can learn sensitive information such as the version of the CMS, the PHP version used by the site, and the name of the DBMS, simply by view the result of the api-aa, called automatically upon a connection. NOTE: This vulnerability only…
- CVE-2019-13979Jul 19, 2019risk 0.00cvss —epss 0.03
In Directus 7 API before 2.2.1, uploading of PHP files is not blocked, leading to uploads/_/originals remote code execution.
- CVE-2019-13980Jul 19, 2019risk 0.00cvss —epss 0.02
In Directus 7 API through 2.3.0, uploading of PHP files is blocked only when the Apache HTTP Server is used, leading to uploads/_/originals remote code execution with nginx.
- CVE-2019-13981Jul 19, 2019risk 0.00cvss —epss 0.01
In Directus 7 API through 2.3.0, remote attackers can read image files via a direct request for a filename under the uploads/_/originals/ directory. This is related to a configuration option in which the file collection can be non-public, but this option does not apply to the…
- CVE-2019-13982Jul 19, 2019risk 0.00cvss —epss 0.01
interfaces/markdown/input.vue in Directus 7 Application before 7.7.0 does not sanitize Markdown text before rendering a preview.
- CVE-2019-13983Jul 19, 2019risk 0.00cvss —epss 0.01
Directus 7 API before 2.2.2 has insufficient anti-automation, as demonstrated by lack of a CAPTCHA in core/Directus/Services/AuthService.php and endpoints/Auth.php.
- CVE-2019-13984Jul 19, 2019risk 0.00cvss —epss 0.02
Directus 7 API before 2.3.0 does not validate uploaded files. Regardless of the file extension or MIME type, there is a direct link to each uploaded file, accessible by unauthenticated users, as demonstrated by the EICAR Anti-Virus Test File.
Page 4 of 4