836 matches found
CVE-2024-39699
Directus has a Blind SSRF via redirects in file import. The vulnerability arises because redirects are allowed during URL-based imports and the response URL isn’t validated, enabling requests to internal IPs (e.g., 127.0.0.1) despite earlier fixes that only validated DNS/internal IPs. The issue i...
CVE-2024-39699 Directus has a Blind SSRF On File Import
Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security...
CVE-2024-39699 Directus has a Blind SSRF On File Import
Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security...
CVE-2024-39699 Directus has a Blind SSRF On File Import
Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security...
@deconz-community/directus-extension-ddf-store (=0.1.0), datacore-mv (=10.3.0) +2 more potentially affected by CVE-2024-39699 via @directus/api (>=10.0.0 <=17.0.1)
@directus/api NPM version =10.0.0, =10.0.0, =1.0.0, =1.1.2 Source cves: CVE-2024-39699 Source advisory: OSV:GHSA-8P72-RCQ4-H6PW...
GHSA-8P72-RCQ4-H6PW Directus Blind SSRF On File Import
Summary There was already a reported SSRF vulnerability via file import. https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security...
PT-2024-28713
Name of the Vulnerable Software and Affected Versions Directus versions prior to 10.12.0 Description A denial of service DoS attack by field duplication in GraphQL is possible, where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times ...
Directus Security Vulnerabilities
Directus is a real-time Api and application dashboard. It is used to manage Sql database content. A security vulnerability exists in Directus. An attacker exploiting this vulnerability could enumerate existing SSO users in an instance...
Directus Security Vulnerabilities
Directus is a real-time Api and application dashboard. It is used to manage Sql database content. A security vulnerability exists in Directus versions prior to 10.12.0. An attacker exploited the vulnerability to overwhelm the server by requesting the same field multiple times in a single query...
Directus Security Vulnerabilities
Directus is a real-time Api and application dashboard. It is used to manage Sql database content. A security vulnerability exists in Directus versions prior to 10.9.3, which stems from allowing redirection when importing files from a URL and not checking the URL...
Directus Security Vulnerabilities
Directus is a real-time Api and application dashboard. It is used to manage Sql database content. A security vulnerability exists in Directus versions 9.23.0 through 10.5.3 that stems from incorrect handling of the in, nin operators...
PT-2024-28714 · Directus · Directus
Name of the Vulnerable Software and Affected Versions: Directus versions prior to 10.13.0 Description: The issue allows enumeration of existing SSO users in the instance when relying on SSO providers in combination with local authentication. This is possible because if an email address exists in...
PT-2024-37696 · Directus · Directus
Name of the Vulnerable Software and Affected Versions: Directus version 10.13.0 Description: The issue allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in...
Denial Of Service (DoS)
directus is vulnerable to Denial Of Service DoS. The vulnerability is caused by providing a non-numeric length value to the random string generation utility, which prevents the generation of random session IDs, resulting in Denial Of Service DoS...
Directus is soft-locked by providing a string value to random string util
Describe the Bug Providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of service situation where logged in sessions can no longer be refreshed as sessions...
CVE-2024-36128
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of...
CVE-2024-36128 Directus is soft-locked by providing a string value to random string util
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of...
CVE-2024-36128 Directus is soft-locked by providing a string value to random string util
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of...
CVE-2024-36128 Directus is soft-locked by providing a string value to random string util
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of...
PT-2024-26913 · Directus · Directus
Name of the Vulnerable Software and Affected Versions: Directus versions prior to 10.11.2 Description: Directus is a real-time API and App dashboard for managing SQL database content. Providing a non-numeric length value to the random string generation utility will create a memory issue, breaking...