836 matches found
CVE-2023-28443 directus vulnerable to Insertion of Sensitive Information into Log File
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the directusrefreshtoken is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3...
CVE-2023-28443 directus vulnerable to Insertion of Sensitive Information into Log File
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the directusrefreshtoken is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3...
CVE-2023-28443 directus vulnerable to Insertion of Sensitive Information into Log File
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the directusrefreshtoken is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3...
GHSA-8VG2-WF3Q-MWV7 directus vulnerable to Insertion of Sensitive Information into Log File
Summary CWE-532: Insertion of Sensitive Information into Log File discovered in v9.23.1. The directusrefreshtoken is not redacted properly from the log outputs and can be used to impersonate users without their permission. Details Using v9.23.1, I am seeing that the directusrefreshtoken is not...
directus vulnerable to Insertion of Sensitive Information into Log File
Summary CWE-532: Insertion of Sensitive Information into Log File discovered in v9.23.1. The directusrefreshtoken is not redacted properly from the log outputs and can be used to impersonate users without their permission. Details Using v9.23.1, I am seeing that the directusrefreshtoken is not...
Directus 日志信息泄露漏洞
Directus is a real-time Api and application dashboard. It is used to manage Sql database content. A security vulnerability exists in Directus versions prior to 9.23.3, which stems from directusrefreshtoken not being properly edited from log output, and can be used to impersonate a user without...
PT-2023-21726 · Directus · Directus
Name of the Vulnerable Software and Affected Versions: Directus versions prior to 9.23.3 Description: The issue concerns the improper redaction of the directus refresh token from log outputs, allowing it to be used to impersonate users without their permission. This can lead to issues with...
Server-side Request Forgery (SSRF)
directus is vulnerable to Server-side Request Forgery SSRF. The vulnerability exists when importing a file from a remote web server POST to /files/import, allowing an attacker to bypass the security controls that were implemented to patch the CVE-2022-23080 vulnerability by performing a DNS...
Sensitive Information Disclosure
directus is vulnerable to Sensitive Information Disclosure. The vulnerability exists because users with read access to the password field in directususers can extract the argon2 password hashes by brute-forcing the export functionality combined with a startswith filter, which allows an attacker t...
GHSA-M5Q3-8WGF-X8XF Directus vulnerable to extraction of password hashes through export querying
Impact Users with read access to the password field in directususers can extract the argon2 password hashes by brute forcing the export functionality combined with a startswith filter. This allows the user to enumerate the password hashes. Patches The problem has been patched by preventing any...
Directus vulnerable to extraction of password hashes through export querying
Impact Users with read access to the password field in directususers can extract the argon2 password hashes by brute forcing the export functionality combined with a startswith filter. This allows the user to enumerate the password hashes. Patches The problem has been patched by preventing any...
Cross-site Scripting (XSS)
directus is vulnerable to Cross-site Scripting XSS. The vulnerability is due to allow-listed reset URLs through the query parameters, which allows the attacker to inject and execute malicious JavaScript into the browser through an email...
GHSA-4HMQ-GGRM-QFC6 directus vulnerable to HTML Injection in Password Reset email to custom Reset URL
Impact Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. Patches The problem has been resolved and released under version 9.23.0. People relying on a custom password reset URL should upgrade to 9.23.0 or...
CVE-2023-27481
Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the password field in directususers can extract the argon2 password hashes by brute forcing the export functionality combined with a startswith filter. This allow...
Design/Logic Flaw
Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the password field in directususers can extract the argon2 password hashes by brute forcing the export functionality combined with a startswith filter. This allow...
CVE-2023-27481 Extract password hashes through export querying in directus
Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the password field in directususers can extract the argon2 password hashes by brute forcing the export functionality combined with a startswith filter. This allow...
CVE-2023-27481
CVE-2023-27481—Directus password-hash exposure risk : Directus prior to 9.16.0 allowed users with read access to the password field in directus_users to enumerate argon2 password hashes by abusing the export function with a _starts_with filter. The root cause is a permissive filtering path on has...
CVE-2023-27481 Extract password hashes through export querying in directus
Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the password field in directususers can extract the argon2 password hashes by brute forcing the export functionality combined with a startswith filter. This allow...
CVE-2023-27481 Extract password hashes through export querying in directus
Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the password field in directususers can extract the argon2 password hashes by brute forcing the export functionality combined with a startswith filter. This allow...
Directus 信息泄露漏洞
Directus is a real-time Api and application dashboard. It is used to manage Sql database content. An information disclosure vulnerability exists in Directus versions prior to 9.16.0. An attacker could exploit the vulnerability to enumerate password hashes...