VYPR

Directus

by Monospace

npm: directus

Source repositories

CVEs (67)

  • CVE-2021-26595Feb 23, 2021
    risk 0.00cvss epss 0.01

    In Directus 8.x through 8.8.1, an attacker can learn sensitive information such as the version of the CMS, the PHP version used by the site, and the name of the DBMS, simply by view the result of the api-aa, called automatically upon a connection. NOTE: This vulnerability only…

  • CVE-2019-13979Jul 19, 2019
    risk 0.00cvss epss 0.03

    In Directus 7 API before 2.2.1, uploading of PHP files is not blocked, leading to uploads/_/originals remote code execution.

  • CVE-2019-13980Jul 19, 2019
    risk 0.00cvss epss 0.02

    In Directus 7 API through 2.3.0, uploading of PHP files is blocked only when the Apache HTTP Server is used, leading to uploads/_/originals remote code execution with nginx.

  • CVE-2019-13981Jul 19, 2019
    risk 0.00cvss epss 0.01

    In Directus 7 API through 2.3.0, remote attackers can read image files via a direct request for a filename under the uploads/_/originals/ directory. This is related to a configuration option in which the file collection can be non-public, but this option does not apply to the…

  • CVE-2019-13982Jul 19, 2019
    risk 0.00cvss epss 0.01

    interfaces/markdown/input.vue in Directus 7 Application before 7.7.0 does not sanitize Markdown text before rendering a preview.

  • CVE-2019-13983Jul 19, 2019
    risk 0.00cvss epss 0.01

    Directus 7 API before 2.2.2 has insufficient anti-automation, as demonstrated by lack of a CAPTCHA in core/Directus/Services/AuthService.php and endpoints/Auth.php.

  • CVE-2019-13984Jul 19, 2019
    risk 0.00cvss epss 0.02

    Directus 7 API before 2.3.0 does not validate uploaded files. Regardless of the file extension or MIME type, there is a direct link to each uploaded file, accessible by unauthenticated users, as demonstrated by the EICAR Anti-Virus Test File.

Page 4 of 4