836 matches found
CVE-2022-23080
In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery SSRF in the media upload functionality which allows a low privileged user to perform internal network port scans...
CVE-2022-23080
In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery SSRF in the media upload functionality which allows a low privileged user to perform internal network port scans...
Server side request forgery (ssrf)
In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery SSRF in the media upload functionality which allows a low privileged user to perform internal network port scans...
CVE-2022-23080
Directus CMS: CVE-2022-23080 affects Directus v9.0.0-beta.2 through 9.6.0, enabling SSRF in the media upload flow that lets a low-privilege user perform internal port scans. The connected advisories describe exploit scenarios (e.g., DNS rebinding attempts in file import) and confirm ongoing discu...
CVE-2022-23080 directus - SSRF which leads to internal port scan
In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery SSRF in the media upload functionality which allows a low privileged user to perform internal network port scans...
Directus 代码问题漏洞
Directus is a real-time Api and application dashboard. It is used to manage Sql database content. A code issue vulnerability exists in Directus versions v9.0.0-beta.2 through 9.6.0, which stems from a server-side request forgery SSRF vulnerability in the media upload feature. An attacker could us...
Insecure Defaults
directus is using insecure defaults. The use of default CORS settings in the Record function of env.ts which are very permissive for uncontrolled environments allows an attacker to access unauthorized resources in the system...
Directus Cross-Site Scripting Vulnerability (CNVD-2022-81371)
Directus is a live Api and application dashboard. Used to manage Sql database content, a cross-site scripting vulnerability existed prior to Directus version 9.7.0, which stems from the program's lack of data validation filtering of user-supplied data and output. An attacker could exploit this...
GHSA-G27J-74FP-XFPR Insecure default value for CORS configuration
Impact The default value for the CORSENABLED and CORSORIGIN configuration was set to be very permissive by default. This could lead to unauthorized access in uncontrolled environments when the configuration hasn't been changed. Patches The default values for CORS have been changed in...
Insecure default value for CORS configuration
Impact The default value for the CORSENABLED and CORSORIGIN configuration was set to be very permissive by default. This could lead to unauthorized access in uncontrolled environments when the configuration hasn't been changed. Patches The default values for CORS have been changed in...
GHSA-XMJJ-3C76-5W84 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in directus
Impact Unauthorized JavaScript can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag. This satisfies the regular content security policy header, which in turn allows the file to run an...
Cross-Site Scripting (XSS)
directus is vulnerable to cross-site scripting. The vulnerability exists because the live embed in the WYSIWYG is not disabled which allows an attacker to inject and execute arbitrary javascript...
PT-2022-18147 · Directus · Directus
Name of the Vulnerable Software and Affected Versions: Directus versions prior to 9.7.0 Description: The default settings of CORS ORIGIN and CORS ENABLED in Directus are true, which could lead to unauthorized access in uncontrolled environments when the configuration hasn't been changed. This is...
CVE-2022-24814
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript JS can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script ta...
Design/Logic Flaw
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript JS can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script ta...
CVE-2022-24814 Cross-site Scripting in Directus
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript JS can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script ta...
CVE-2022-24814
Directus XSS in Rich Text HTML interface: prior to v9.7.0, an iframe that links to an uploaded HTML file can load a second uploaded JS file, bypassing CSP and allowing arbitrary JS execution. Root cause: unsafe handling of embedded JS via WYSIWYG content. Impact: unauthorized JS execution within ...
CVE-2022-24814 Cross-site Scripting in Directus
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript JS can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script ta...
CVE-2022-24814 Cross-site Scripting in Directus
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript JS can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script ta...
Directus 跨站脚本漏洞
Directus is a live Api and application dashboard. Used to manage Sql database content, a cross-site scripting vulnerability existed prior to Directus version 9.7.0, which stems from the program's lack of data validation filtering of user-supplied data and output. An attacker could exploit this...