Lucene search
K

89 matches found

RedhatCVE
RedhatCVE
added 2025/05/22 8:40 p.m.7 views

CVE-2021-26594

In Directus 8.x through 8.8.1, an attacker can switch to the administrator role via the PATCH method without any control by the back end. NOTE: This vulnerability only affects products that are no longer supported by the maintainer...

8.8CVSS7.2AI score0.01165EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/22 8:39 p.m.4 views

CVE-2021-26595

In Directus 8.x through 8.8.1, an attacker can learn sensitive information such as the version of the CMS, the PHP version used by the site, and the name of the DBMS, simply by view the result of the api-aa, called automatically upon a connection. NOTE: This vulnerability only affects products th...

5.3CVSS6.1AI score0.00702EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/22 7:36 p.m.9 views

CVE-2021-29641

Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions include the ability to upload a .php file to the main upload directory and/or upload a .php file and a .htaccess file to a subdirectory. Exploitation succeeds only for certain...

8.8CVSS7.6AI score0.04867EPSS
Exploits3References1
Veracode
Veracode
added 2025/04/07 2:36 a.m.8 views

Unauthorized API Access

Directus is vulnerable to unauthorized API access by suspended users. The vulnerability is due to missing session validation due to the absence of a check in verifySessionJWT to confirm if a user is still active and authorized...

4.3CVSS7AI score0.00337EPSS
Exploits1References2Affected Software2
NVD
NVD
added 2025/03/26 6:15 p.m.15 views

CVE-2025-30352

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the search query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the...

5.3CVSS0.00345EPSS
Exploits0References2
CVE
CVE
added 2025/03/26 5:18 p.m.92 views

CVE-2025-30352

CVE-2025-30352 affects Directus real-time API/dashboard. Versions 9.0.0-alpha.4 through 11.5.0 are vulnerable due to the search query parameter not checking view permissions when constructing WHERE clauses, allowing enumeration of contents in fields the user should not see. The underlying issue i...

5.3CVSS7.7AI score0.00345EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2025/03/26 5:18 p.m.16 views

CVE-2025-30352 Directus `search` query parameter allows enumeration of non permitted fields

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the search query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the...

5.3CVSS0.00345EPSS
Exploits0References2
NVD
NVD
added 2025/03/26 5:15 p.m.20 views

CVE-2025-30350

Directus is a real-time API and App dashboard for managing SQL database content. The @directus/storage-driver-s3 package starting in version 9.22.0 and prior to version 12.0.1, corresponding to Directus starting in version 9.22.0 and prior to 11.5.0, is vulnerable to asset unavailability after a...

5.3CVSS0.00406EPSS
Exploits1References1
NVD
NVD
added 2025/03/26 5:15 p.m.14 views

CVE-2025-30225

Directus is a real-time API and App dashboard for managing SQL database content. The @directus/storage-driver-s3 package starting in version 9.22.0 and prior to version 12.0.1, corresponding to Directus starting in version 9.22.0 and prior to 11.5.0, is vulnerable to asset unavailability after a...

5.3CVSS0.00406EPSS
Exploits1References1
Cvelist
Cvelist
added 2025/03/26 5:13 p.m.15 views

CVE-2025-30351 Suspended Directus user can continue to use session token to access API

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.10.0 and prior to version 11.5.0, a suspended user can use the token generated in session auth mode to access the API despite their status. This happens because there is a check missing in...

3.5CVSS0.00337EPSS
Exploits1References2
CVE
CVE
added 2025/03/26 4:27 p.m.91 views

CVE-2025-30225

The CVE affects Directus users via the @directus/storage-driver-s3 driver: versions 9.22.0 up to 11.5.0 (paired Directus 9.22.0 to 11.5.0) are vulnerable to asset unavailability after a burst of malformed transformation requests, causing all assets to return 403 under load. The issue is fixed in ...

5.3CVSS7.6AI score0.00406EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2025/03/26 4:27 p.m.28 views

CVE-2025-30225 Directus's S3 assets become unavailable after a burst of malformed transformations

Directus is a real-time API and App dashboard for managing SQL database content. The @directus/storage-driver-s3 package starting in version 9.22.0 and prior to version 12.0.1, corresponding to Directus starting in version 9.22.0 and prior to 11.5.0, is vulnerable to asset unavailability after a...

5.3CVSS0.00406EPSS
Exploits1References1
CNNVD
CNNVD
added 2025/03/26 12:0 a.m.3 views

Directus 信息泄露漏洞

Directus is a real-time Api and application dashboard open-sourced by Directus. It is used to manage Sql database content. An information disclosure vulnerability exists in Directus versions prior to 9.12.0 through 11.5.0, which stems from a Webhook trigger that could lead to the disclosure of...

8.6CVSS5.7AI score0.00505EPSS
Exploits1References2
CNNVD
CNNVD
added 2025/03/26 12:0 a.m.8 views

Directus 安全漏洞

Directus is a real-time Api and application dashboard open-sourced by Directus. It is used to manage Sql database content. A security vulnerability exists in Directus versions prior to 9.22.0 through 11.5.0, which stems from a malformed conversion request that could lead to asset unavailability...

5.3CVSS6.4AI score0.00406EPSS
Exploits1References1
CNNVD
CNNVD
added 2025/03/26 12:0 a.m.8 views

Directus 安全漏洞

Directus is a real-time Api and application dashboard open-sourced by Directus. It is used to manage Sql database content. A security vulnerability exists in Directus versions prior to 9.22.0 through 11.5.0 that stems from a large number of HEAD requests that could result in unavailable assets...

5.3CVSS6.4AI score0.00406EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2025/03/26 12:0 a.m.6 views

PT-2025-12984 · Directus · Directus

Name of the Vulnerable Software and Affected Versions: Directus versions 9.12.0 through 11.4.0 Description: Directus is a real-time API and App dashboard for managing SQL database content. When a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a...

8.6CVSS6.6AI score0.00505EPSS
Exploits1References19
Veracode
Veracode
added 2025/02/24 4:53 a.m.10 views

Improper Access Control

Directus is vulnerable to Improper Access Control. The vulnerability is due to improper evaluation of field-level access permissions when multiple overlapping update policies apply, allowing users to update a superset of fields rather than only those permitted for a specific item...

5.4CVSS7AI score0.0022EPSS
Exploits0References4Affected Software2
NVD
NVD
added 2025/02/19 5:15 p.m.59 views

CVE-2025-27089

Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the update action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is...

5.4CVSS0.0022EPSS
Exploits0References2
CVE
CVE
added 2025/02/19 4:42 p.m.87 views

CVE-2025-27089

Directus has a vulnerability (CVE-2025-27089) where overlapping update policies can cause a user to update fields not permitted for a specific item. Root cause: the system previously validated access at the item level; the fix evaluates permissions per field in the validateItemAccess query and re...

5.4CVSS5.8AI score0.0022EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2025/02/05 4:0 a.m.7 views

CVE-2024-54151

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting WEBSOCKETSGRAPHQLAUTH or WEBSOCKETSRESTAUTH to "public", an unauthenticated user is able to do any of the supported operations CRUD, subscriptions...

7.5CVSS7.5AI score0.00588EPSS
Exploits1References1
Rows per page
Query Builder