836 matches found
The vulnerability of the application layer in real-time database content management system SQL Directus, related to bypassing authentication using a user-controlled key, allows attackers to gain access to the user’s account.
The vulnerability of the application layer in real-time content management system SQL Directus relates to bypassing authentication by using a user-controlled key. Exploiting this vulnerability could allow an attacker to gain access to the user account...
@aosweb/osui (>=0.0.23 <=0.0.25), @baosight/er (>=0.1.87 <=0.3.2) +44 more potentially affected by CVE-2025-27597 via @intlify/message-resolver (>=9.1.0 <=9.1.10)
@intlify/message-resolver NPM version =9.1.0, =0.0.23, =0.1.87, =9.14.2, =9.14.2, =0.3.1, =0.5.0, =1.9.7, =9.1.0, =9.1.0, =9.1.0, =9.1.0, =9.1.0, =3.0.0-alpha, =1.8.9, =2.14.0-alpha.3 and more Source cves: CVE-2025-27597 Source advisory: OSV:GHSA-P2PH-7G93-HW3M...
Improper Access Control
Directus is vulnerable to Improper Access Control. The vulnerability is due to improper evaluation of field-level access permissions when multiple overlapping update policies apply, allowing users to update a superset of fields rather than only those permitted for a specific item...
CVE-2025-27089
Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the update action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is...
CVE-2025-27089
Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the update action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is...
CVE-2025-27089 Overlapping policies allow update to non-allowed fields in directus
Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the update action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is...
CVE-2025-27089 Overlapping policies allow update to non-allowed fields in directus
Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the update action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is...
CVE-2025-27089 Overlapping policies allow update to non-allowed fields in directus
Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the update action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is...
CVE-2025-27089
Directus has a vulnerability (CVE-2025-27089) where overlapping update policies can cause a user to update fields not permitted for a specific item. Root cause: the system previously validated access at the item level; the fix evaluates permissions per field in the validateItemAccess query and re...
Directus 安全漏洞
Directus is a real-time Api and application dashboard open-sourced by Directus. It is used to manage Sql database content. A security vulnerability exists in Directus versions prior to 11.1.2, which stems from the fact that if an update operation has two overlapping policies that allow access to...
CVE-2022-24814
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript JS can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script ta...
CVE-2024-54151
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting WEBSOCKETSGRAPHQLAUTH or WEBSOCKETSRESTAUTH to "public", an unauthenticated user is able to do any of the supported operations CRUD, subscriptions...
CVE-2024-27295
Directus is a real-time API and App dashboard for managing SQL database content. The password reset mechanism of the Directus backend allows attackers to receive a password reset email of a victim user, specifically having it arrive at a similar email address as the victim with a one or more...
CVE-2024-45596
Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that endpoint for both OpenId...
Privilege Escalation
Directus is vulnerable to Privilege Escalation. The vulnerability is due to improper access control in the sharing feature, which allows users to specify arbitrary roles, bypassing role-based restrictions and gaining access to fields that are normally restricted for certain roles...
@altipla/directus-sdk-utils (=0.7.2), @depup/directus (>=11.16.1-depup.0 <=11.17.2-depup.0) +8 more potentially affected by unknown CVE via directus (>=10.10.0 <=11.3.2)
directus NPM version =10.10.0, =11.16.1-depup.0, =15.0.0, =1.2.2, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 - lease-directus-template =0.0.0 Source cves: unknown CVE Source advisory: OSV:GHSA-9QRM-48QF-R2RW...
GHSA-9QRM-48QF-R2RW Directus has a DOM-Based cross-site scripting (XSS) via layout_options
Impact Directus allows an authenticated attacker to save cross site scripting code to the database. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with...
@bicou/directus-extension-imagga (=1.6.6), @deconz-community/directus-extension-ddf-store (=0.1.0) +7 more potentially affected by CVE-2025-24353 via @directus/app (>=10.0.0 <=13.3.0)
@directus/app NPM version =10.0.0, =10.0.0, =1.2.2, =10.0.0, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 Source cves: CVE-2025-24353 Source advisory: OSV:GHSA-PMF4-V838-29HG...
@altipla/directus-sdk-utils (=0.7.2), @depup/directus (>=11.16.1-depup.0 <=11.17.2-depup.0) +8 more potentially affected by CVE-2025-24353 via directus (>=10.10.0 <=11.1.2)
directus NPM version =10.10.0, =11.16.1-depup.0, =15.0.0, =1.2.2, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 - lease-directus-template =0.0.0 Source cves: CVE-2025-24353 Source advisory: OSV:GHSA-PMF4-V838-29HG...
GHSA-PMF4-V838-29HG Directus allows privilege escalation using Share feature
Summary When sharing an item, user can specify an arbitrary role. It allows user to use a higher-privileged role to see fields that otherwise the user should not be able to see. Details Specifying role on share should be available only for admins. The current flow has a security flaw. Each other...