Lucene search
K

836 matches found

BDU FSTEC
BDU FSTEC
added 2025/03/12 12:0 a.m.6 views

The vulnerability of the application layer in real-time database content management system SQL Directus, related to bypassing authentication using a user-controlled key, allows attackers to gain access to the user’s account.

The vulnerability of the application layer in real-time content management system SQL Directus relates to bypassing authentication by using a user-controlled key. Exploiting this vulnerability could allow an attacker to gain access to the user account...

4.3CVSS5.6AI score0.00326EPSS
Exploits0References3Affected Software1
vulnersOsv
vulnersOsv
added 2025/03/07 3:58 p.m.9 views

@aosweb/osui (>=0.0.23 <=0.0.25), @baosight/er (>=0.1.87 <=0.3.2) +44 more potentially affected by CVE-2025-27597 via @intlify/message-resolver (>=9.1.0 <=9.1.10)

@intlify/message-resolver NPM version =9.1.0, =0.0.23, =0.1.87, =9.14.2, =9.14.2, =0.3.1, =0.5.0, =1.9.7, =9.1.0, =9.1.0, =9.1.0, =9.1.0, =9.1.0, =3.0.0-alpha, =1.8.9, =2.14.0-alpha.3 and more Source cves: CVE-2025-27597 Source advisory: OSV:GHSA-P2PH-7G93-HW3M...

9.3CVSS5.8AI score0.00557EPSS
Exploits0
Veracode
Veracode
added 2025/02/24 4:53 a.m.10 views

Improper Access Control

Directus is vulnerable to Improper Access Control. The vulnerability is due to improper evaluation of field-level access permissions when multiple overlapping update policies apply, allowing users to update a superset of fields rather than only those permitted for a specific item...

5.4CVSS7AI score0.0022EPSS
Exploits0References4Affected Software2
RedhatCVE
RedhatCVE
added 2025/02/21 5:15 p.m.22 views

CVE-2025-27089

Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the update action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is...

5.4CVSS7.4AI score0.0022EPSS
Exploits0References1
NVD
NVD
added 2025/02/19 5:15 p.m.20 views

CVE-2025-27089

Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the update action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is...

5.4CVSS0.0022EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/02/19 4:42 p.m.8 views

CVE-2025-27089 Overlapping policies allow update to non-allowed fields in directus

Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the update action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is...

5.4CVSS5.8AI score0.0022EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/02/19 4:42 p.m.26 views

CVE-2025-27089 Overlapping policies allow update to non-allowed fields in directus

Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the update action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is...

5.4CVSS0.0022EPSS
Exploits0References2
OSV
OSV
added 2025/02/19 4:42 p.m.24 views

CVE-2025-27089 Overlapping policies allow update to non-allowed fields in directus

Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the update action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is...

5.4CVSS7.2AI score0.0022EPSS
Exploits0References4
CVE
CVE
added 2025/02/19 4:42 p.m.86 views

CVE-2025-27089

Directus has a vulnerability (CVE-2025-27089) where overlapping update policies can cause a user to update fields not permitted for a specific item. Root cause: the system previously validated access at the item level; the fix evaluates permissions per field in the validateItemAccess query and re...

5.4CVSS5.8AI score0.0022EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2025/02/19 12:0 a.m.1 views

Directus 安全漏洞

Directus is a real-time Api and application dashboard open-sourced by Directus. It is used to manage Sql database content. A security vulnerability exists in Directus versions prior to 11.1.2, which stems from the fact that if an update operation has two overlapping policies that allow access to...

5.4CVSS6.4AI score0.0022EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/02/05 9:50 p.m.9 views

CVE-2022-24814

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript JS can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script ta...

8.8CVSS7.1AI score0.01018EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/02/05 4:0 a.m.6 views

CVE-2024-54151

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting WEBSOCKETSGRAPHQLAUTH or WEBSOCKETSRESTAUTH to "public", an unauthenticated user is able to do any of the supported operations CRUD, subscriptions...

7.5CVSS7.5AI score0.00577EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/02/05 3:51 a.m.11 views

CVE-2024-27295

Directus is a real-time API and App dashboard for managing SQL database content. The password reset mechanism of the Directus backend allows attackers to receive a password reset email of a victim user, specifically having it arrive at a similar email address as the victim with a one or more...

8.2CVSS8.4AI score0.00702EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/02/05 3:38 a.m.6 views

CVE-2024-45596

Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that endpoint for both OpenId...

7.4CVSS7.5AI score0.00618EPSS
Exploits1References1
Veracode
Veracode
added 2025/01/28 7:13 a.m.5 views

Privilege Escalation

Directus is vulnerable to Privilege Escalation. The vulnerability is due to improper access control in the sharing feature, which allows users to specify arbitrary roles, bypassing role-based restrictions and gaining access to fields that are normally restricted for certain roles...

5CVSS6.8AI score0.00372EPSS
Exploits1References6Affected Software3
vulnersOsv
vulnersOsv
added 2025/01/23 10:36 p.m.7 views

@altipla/directus-sdk-utils (=0.7.2), @depup/directus (>=11.16.1-depup.0 <=11.17.2-depup.0) +8 more potentially affected by unknown CVE via directus (>=10.10.0 <=11.3.2)

directus NPM version =10.10.0, =11.16.1-depup.0, =15.0.0, =1.2.2, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 - lease-directus-template =0.0.0 Source cves: unknown CVE Source advisory: OSV:GHSA-9QRM-48QF-R2RW...

5.8AI score
Exploits0
OSV
OSV
added 2025/01/23 10:36 p.m.1 views

GHSA-9QRM-48QF-R2RW Directus has a DOM-Based cross-site scripting (XSS) via layout_options

Impact Directus allows an authenticated attacker to save cross site scripting code to the database. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with...

3.4CVSS5.6AI score
Exploits0References2
vulnersOsv
vulnersOsv
added 2025/01/23 10:35 p.m.6 views

@bicou/directus-extension-imagga (=1.6.6), @deconz-community/directus-extension-ddf-store (=0.1.0) +7 more potentially affected by CVE-2025-24353 via @directus/app (>=10.0.0 <=13.3.0)

@directus/app NPM version =10.0.0, =10.0.0, =1.2.2, =10.0.0, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 Source cves: CVE-2025-24353 Source advisory: OSV:GHSA-PMF4-V838-29HG...

5CVSS5.8AI score0.00372EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2025/01/23 10:35 p.m.7 views

@altipla/directus-sdk-utils (=0.7.2), @depup/directus (>=11.16.1-depup.0 <=11.17.2-depup.0) +8 more potentially affected by CVE-2025-24353 via directus (>=10.10.0 <=11.1.2)

directus NPM version =10.10.0, =11.16.1-depup.0, =15.0.0, =1.2.2, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 - lease-directus-template =0.0.0 Source cves: CVE-2025-24353 Source advisory: OSV:GHSA-PMF4-V838-29HG...

5CVSS5.8AI score0.00372EPSS
Exploits1
OSV
OSV
added 2025/01/23 10:35 p.m.7 views

GHSA-PMF4-V838-29HG Directus allows privilege escalation using Share feature

Summary When sharing an item, user can specify an arbitrary role. It allows user to use a higher-privileged role to see fields that otherwise the user should not be able to see. Details Specifying role on share should be available only for admins. The current flow has a security flaw. Each other...

5CVSS5.3AI score0.00372EPSS
Exploits1References7
Rows per page
Query Builder