VYPR

Vendor CVEs

Monospace

All CVEs

67 total · sorted by risk
  • CVE-2023-28443Mar 23, 2023
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version…

  • CVE-2023-27481Mar 7, 2023
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute forcing the export functionality combined with a…

  • CVE-2023-27474Mar 6, 2023
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. An attacker could exploit this to email users urls to…

  • CVE-2023-26492Mar 3, 2023
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a…

  • CVE-2022-26969Dec 26, 2022
    risk 0.00cvss epss 0.01

    In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.

  • CVE-2022-36031Aug 19, 2022
    risk 0.00cvss epss 0.01

    Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the `filename_disk` value to a folder and accessing that file through the `/assets` endpoint. This vulnerability has been…

  • CVE-2022-23080Jun 22, 2022
    risk 0.00cvss epss 0.01

    In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery (SSRF) in the media upload functionality which allows a low privileged user to perform internal network port scans.

  • CVE-2022-24814Apr 4, 2022
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript (JS) can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS…

  • CVE-2022-22117Jan 10, 2022
    risk 0.00cvss epss 0.01

    In Directus, versions 9.0.0-alpha.4 through 9.4.1 allow unrestricted file upload of .html files in the media upload functionality, which leads to Cross-Site Scripting vulnerability. A low privileged attacker can upload a crafted HTML file as a profile avatar, and when an admin…

  • CVE-2022-22116Jan 10, 2022
    risk 0.00cvss epss 0.01

    In Directus, versions 9.0.0-alpha.4 through 9.4.1 are vulnerable to stored Cross-Site Scripting (XSS) vulnerability via SVG file upload in media upload functionality. A low privileged attacker can inject arbitrary javascript code which will be executed in a victim’s browser…

  • CVE-2021-26595Feb 23, 2021
    risk 0.00cvss epss 0.01

    In Directus 8.x through 8.8.1, an attacker can learn sensitive information such as the version of the CMS, the PHP version used by the site, and the name of the DBMS, simply by view the result of the api-aa, called automatically upon a connection. NOTE: This vulnerability only…

  • CVE-2019-13979Jul 19, 2019
    risk 0.00cvss epss 0.03

    In Directus 7 API before 2.2.1, uploading of PHP files is not blocked, leading to uploads/_/originals remote code execution.

  • CVE-2019-13980Jul 19, 2019
    risk 0.00cvss epss 0.02

    In Directus 7 API through 2.3.0, uploading of PHP files is blocked only when the Apache HTTP Server is used, leading to uploads/_/originals remote code execution with nginx.

  • CVE-2019-13981Jul 19, 2019
    risk 0.00cvss epss 0.01

    In Directus 7 API through 2.3.0, remote attackers can read image files via a direct request for a filename under the uploads/_/originals/ directory. This is related to a configuration option in which the file collection can be non-public, but this option does not apply to the…

  • CVE-2019-13982Jul 19, 2019
    risk 0.00cvss epss 0.01

    interfaces/markdown/input.vue in Directus 7 Application before 7.7.0 does not sanitize Markdown text before rendering a preview.

  • CVE-2019-13983Jul 19, 2019
    risk 0.00cvss epss 0.01

    Directus 7 API before 2.2.2 has insufficient anti-automation, as demonstrated by lack of a CAPTCHA in core/Directus/Services/AuthService.php and endpoints/Auth.php.

  • CVE-2019-13984Jul 19, 2019
    risk 0.00cvss epss 0.02

    Directus 7 API before 2.3.0 does not validate uploaded files. Regardless of the file extension or MIME type, there is a direct link to each uploaded file, accessible by unauthenticated users, as demonstrated by the EICAR Anti-Virus Test File.

Page 2 of 2