836 matches found
CVE-2024-54128 Directus has an HTML Injection in Comment
Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application...
CVE-2024-54128
Directus (Comment feature) is vulnerable to HTML injection because a client-side filter for restricted characters can be bypassed. The CVE notes that this bypass enables injection of HTML content, with documented impact and a fix in versions 10.13.4 and 11.2.0. Affected components: Directus core ...
Directus 安全漏洞
Directus is a real-time Api and application dashboard open-sourced by Directus. It is used to manage Sql database content. A security vulnerability exists in Directus 10.10.0 and earlier versions, which stems from a filter in the commenting feature that runs only on the client side and can be...
be.jidoka:jdk-keycloak-admin (>=2.0.0 <=2.4.0), ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0) +679 more potentially affected by CVE-2024-10039 via org.keycloak:keycloak-core (>=1.0-alpha-1 <=26.0.5)
org.keycloak:keycloak-core MAVEN version =1.0-alpha-1, =2.0.0, =0.1.0, =0.0.1, =1.5.1, =1.5.1, =1.6.2, =1.6.2, =1.5.2, =1.5.2, =1.7.2, =1.7.2, =1.0.22, =1.0.22, =1.4.3, =1.4.3, =1.6.5 and more Source cves: CVE-2024-10039 Source advisory: OSV:GHSA-93WW-43RR-79V3...
CVE-2024-47822
Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are potentially exposed in system logs which may be persisted. The access token in req.query is not redacted when the LOGSTYLE is set to raw. If these logs are no...
CVE-2024-47822
CVE-2024-47822 – Directus : The issue arises from access tokens in query strings not being redacted when LOG_STYLE is set to raw, allowing potential exposure of long‑lived tokens in system logs. This could enable an attacker with log access to gain administrative control or perform unauthorized d...
CVE-2024-47822 Directus inserts access token from query string into logs
Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are potentially exposed in system logs which may be persisted. The access token in req.query is not redacted when the LOGSTYLE is set to raw. If these logs are no...
CVE-2024-47822 Directus inserts access token from query string into logs
Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are potentially exposed in system logs which may be persisted. The access token in req.query is not redacted when the LOGSTYLE is set to raw. If these logs are no...
CVE-2024-47822 Directus inserts access token from query string into logs
Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are potentially exposed in system logs which may be persisted. The access token in req.query is not redacted when the LOGSTYLE is set to raw. If these logs are no...
PT-2024-32834 · Directus · Directus
Name of the Vulnerable Software and Affected Versions: Directus versions prior to 10.13.2 Description: The issue concerns the exposure of access tokens from query strings in system logs, potentially allowing an attacker to gain administrative control and access to unauthorized data. This occurs...
Directus 日志信息泄露漏洞
Directus is a real-time Api and application dashboard open-sourced by Directus. It is used to manage Sql database content. Directus suffers from a log information disclosure vulnerability that stems from access tokens being output unprocessed to logs when LOGSTYLE is set to raw...
Local Host Access Bypass
Directus is vulnerable to a Local Host Access Bypass. The vulnerability is due to improper filtering of loopback addresses, where only 127.0.0.1 is blocked, but other 127.X.X.X addresses can bypass restrictions, allowing an attacker to gain unauthorized access to local services...
GHSA-68G8-C275-XF2M Directus vulnerable to SSRF Loopback IP filter bypass
Impact If you're relying on blocking access to localhost using the default 0.0.0.0 filter this can be bypassed using other registered loopback devices like 127.0.0.2 - 127.127.127.127 Workaround You can block this bypass by manually adding the 127.0.0.0/8 CIDR range which will block access to any...
@deconz-community/directus-extension-ddf-store (=0.1.0), datacore-mv (=10.3.0) +2 more potentially affected by CVE-2024-46990 via @directus/api (>=10.0.0 <=21.0.0-rc.0)
@directus/api NPM version =10.0.0, =10.0.0, =1.0.0, =2.0.0 Source cves: CVE-2024-46990 Source advisory: OSV:GHSA-68G8-C275-XF2M...
@directus/api (>=18.0.0 <=21.0.1) potentially affected by CVE-2024-46990 via directus (>=10.10.0 <=10.13.2)
directus NPM version =10.10.0, =18.0.0, =21.0.1 Source cves: CVE-2024-46990 Source advisory: OSV:GHSA-68G8-C275-XF2M...
Directus vulnerable to SSRF Loopback IP filter bypass
Impact If you're relying on blocking access to localhost using the default 0.0.0.0 filter this can be bypassed using other registered loopback devices like 127.0.0.2 - 127.127.127.127 Workaround You can block this bypass by manually adding the 127.0.0.0/8 CIDR range which will block access to any...
CVE-2024-46990
Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default 0.0.0.0 filter a user may bypass this block by using other registered loopback devices like 127.0.0.2 - 127.127.127.127. This issue has been addressed in...
CVE-2024-46990
Summary: CVE-2024-46990 affects Directus where blocking localhost via the default 0.0.0.0 filter can be bypassed using other loopback addresses (e.g., 127.0.0.2–127.127.127.127). Vulnerability details (supported by connected docs): Directus real-time API and app dashboard fails to restrict access...
CVE-2024-46990 SSRF Loopback IP filter bypass in directus
Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default 0.0.0.0 filter a user may bypass this block by using other registered loopback devices like 127.0.0.2 - 127.127.127.127. This issue has been addressed in...
CVE-2024-46990 SSRF Loopback IP filter bypass in directus
Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default 0.0.0.0 filter a user may bypass this block by using other registered loopback devices like 127.0.0.2 - 127.127.127.127. This issue has been addressed in...