PT-2024-2179 · Unknown +2 · Mysql Server +2

Name of the Vulnerable Software and Affected Versions: Directus versions prior to 10.8.3 Description: The password reset mechanism of the Directus backend allows attackers to receive a password reset email of a victim user, specifically having it arrive at a similar email address as the victim wi...

PT-2024-21802 · Directus · Directus

Name of the Vulnerable Software and Affected Versions: Directus versions prior to 10.8.3 Description: Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 10.8.3, the exact Directus version number was being shipped in compiled JS bundles which are...

Denial Of Service (DoS)

directus is vulnerable to Denial Of Service DoS. The vulnerability exists because invalid websocket frames are not properly handled which allows an attacker to crash the application...

GHSA-HMGW-9JRG-HF2M Directus crashes on invalid WebSocket message

Summary It seems that any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. This could probably be posted as an issue and I might even be able to put together a pull request for a fix if only I had some extra time..., but I decided...

Directus crashes on invalid WebSocket message

Summary It seems that any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. This could probably be posted as an issue and I might even be able to put together a pull request for a fix if only I had some extra time..., but I decided...

CVE-2023-45820

Directus is a real-time API and App dashboard for managing SQL database content. In affected versions any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. A malicious user could leverage this bug to crash Directus. This issue has...

Code injection

Directus is a real-time API and App dashboard for managing SQL database content. In affected versions any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. A malicious user could leverage this bug to crash Directus. This issue has...

CVE-2023-45820 Directus crashes on invalid WebSocket message

Directus is a real-time API and App dashboard for managing SQL database content. In affected versions any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. A malicious user could leverage this bug to crash Directus. This issue has...

CVE-2023-45820 Directus crashes on invalid WebSocket message

Directus is a real-time API and App dashboard for managing SQL database content. In affected versions any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. A malicious user could leverage this bug to crash Directus. This issue has...

CVE-2023-45820

Directus is vulnerable to a DoS via invalid WebSocket frames. When websockets are enabled, receiving an invalid frame can crash the Directus server, leading to high availability impact. The issue affects Directus installations with websockets enabled and has been addressed in version 10.6.2; upgr...

CVE-2023-45820 Directus crashes on invalid WebSocket message

Directus is a real-time API and App dashboard for managing SQL database content. In affected versions any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. A malicious user could leverage this bug to crash Directus. This issue has...

Directus Security Vulnerabilities

Directus is a real-time Api and application dashboard. It is used to manage Sql database content. A security vulnerability exists in Directus that stems from the fact that any Websocket-enabled Directus installation may crash if the Websocket server receives invalid frames...

GHSA-22RR-F3P8-5GF8 Directus affected by VM2 sandbox escape vulnerability

Impact In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code. Within Directus this applies to the "Run Script" operation in flows being able to escape the sandbox running code in the main nodejs context...

Directus affected by VM2 sandbox escape vulnerability

Impact In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code. Within Directus this applies to the "Run Script" operation in flows being able to escape the sandbox running code in the main nodejs context...

PT-2023-32964 · Unknown +3 · Isolated-Vm +3

Name of the Vulnerable Software and Affected Versions: vm2 versions up to 3.9.19 Directus versions prior to 10.6.0 Description: The issue allows attackers to bypass Promise handler sanitization in vm2, enabling them to escape the sandbox and execute arbitrary code. This specifically affects the...

Improper Permission Checks

directus is vulnerable to Improper Permission Checks. The vulnerability exists because the permission filters such as usercreated IS $CURRENTUSER are not properly checked in the library when using a GraphQL subscription, allowing an attacker to get a subscription event for which they do not have...

CVE-2023-38503

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters i.e. usercreated IS $CURRENTUSER are not properly checked when using GraphQL subscription resulting in unauthorized users getting event o...

Code injection

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters i.e. usercreated IS $CURRENTUSER are not properly checked when using GraphQL subscription resulting in unauthorized users getting event o...

CVE-2023-38503 Directus has Incorrect Permission Checking for GraphQL Subscriptions

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters i.e. usercreated IS $CURRENTUSER are not properly checked when using GraphQL subscription resulting in unauthorized users getting event o...

CVE-2023-38503

Directus (real-time API/dashboard for SQL data) has an authentication/authorization flaw in GraphQL subscriptions. From version 10.3.0 up to, but not including, 10.5.0, permission filters like user_created IS $CURRENT_USER are not properly enforced for subscription events, allowing unauthorized u...