836 matches found
CVE-2024-34708
Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the alias functionality on the API. Normally, these redacted fields will return however if we...
CVE-2024-34709
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The directussession gets destroyed and the cookie gets deleted but if the cookie value is...
Sensitive Information Disclosure
directus is vulnerable to an Sensitive Information Disclosure. The vulnerability is due to inadequate filtering of hashed data when using the alias API, allowing users to retrieve sensitive information in plaintext that is normally redacted...
Insufficient Session Token Expiration
directus is vulnerable to Insufficient Session Token Expiration. This vulnerability is due to improperly invalidating session tokens upon logout, resulting in them remaining valid until their expiration time of one day...
Directus 代码问题漏洞
Directus is a real-time Api and application dashboard. It is used to manage Sql database content. A code issue vulnerability exists in Directus versions prior to 10.11.0, which stems from a session token feature that does not expire upon logout...
Directus 信息泄露漏洞
Directus is a real-time Api and application dashboard. It is used to manage Sql database content. An information disclosure vulnerability exists in Directus versions prior to 10.11.0 that stems from the ability to edit data extracts on the API...
GHSA-G65H-35F3-X2W3 Directus Lacks Session Tokens Invalidation
Summary Currently session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The directussession gets destroyed and the cookie gets deleted but if you captured the cookie value it will still work for the entire expiry time which is set to 1 day by...
Directus Lacks Session Tokens Invalidation
Summary Currently session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The directussession gets destroyed and the cookie gets deleted but if you captured the cookie value it will still work for the entire expiry time which is set to 1 day by...
@directus/api (>=18.0.0 <=19.0.2) potentially affected by CVE-2024-34708 via directus (>=10.10.0 <=10.10.7)
directus NPM version =10.10.0, =18.0.0, =19.0.2 Source cves: CVE-2024-34708 Source advisory: OSV:GHSA-P8V3-M643-4XQX...
GHSA-P8V3-M643-4XQX Directus allows redacted data extraction on the API through "alias"
Summary A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the alias functionality on the API. Normally, these redacted fields will return however if we change the request to ?aliasworkaround=redacted we can instead retrieve the...
Directus allows redacted data extraction on the API through "alias"
Summary A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the alias functionality on the API. Normally, these redacted fields will return however if we change the request to ?aliasworkaround=redacted we can instead retrieve the...
CVE-2024-34709 Directus Lacks Session Tokens Invalidation
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The directussession gets destroyed and the cookie gets deleted but if the cookie value is...
CVE-2024-34709
Directus before version 10.11.0 does not invalidate session tokens on logout. The directus_session cookie is destroyed, but if the cookie value is captured, it remains valid for the token’s full expiry (1 day by default), effectively making it a long-lived, unrevokable stateless token. The issue ...
CVE-2024-34709 Directus Lacks Session Tokens Invalidation
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The directussession gets destroyed and the cookie gets deleted but if the cookie value is...
CVE-2024-34709 Directus Lacks Session Tokens Invalidation
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The directussession gets destroyed and the cookie gets deleted but if the cookie value is...
CVE-2024-34708 Directus allows redacted data extraction on the API through "alias"
Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the alias functionality on the API. Normally, these redacted fields will return however if we...
CVE-2024-34708
Directus 10.x is affected by a Sensitive Information Disclosure vulnerability where a user with permission to view any collection can bypass redaction via the alias API parameter (alias[workaround]=redacted), exposing plaintext values of hashed fields. The root cause is improper handling of the a...
CVE-2024-34708 Directus allows redacted data extraction on the API through "alias"
Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the alias functionality on the API. Normally, these redacted fields will return however if we...
CVE-2024-34708 Directus allows redacted data extraction on the API through "alias"
Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the alias functionality on the API. Normally, these redacted fields will return however if we...
PT-2024-26123 · Directus · Directus
Name of the Vulnerable Software and Affected Versions: Directus versions prior to 10.11.0 Description: The issue concerns session tokens that do not get properly invalidated when a user logs out. Specifically, the directus session is destroyed, and the cookie is deleted, but if the cookie value i...