CVE-2019-13980

In Directus 7 API through 2.3.0, uploading of PHP files is blocked only when the Apache HTTP Server is used, leading to uploads//originals remote code execution with nginx...

CVE-2019-13981

The CVE affects Directus 7 API up to version 2.3.0. An information disclosure exists where remote attackers can read image files by directly requesting a filename under uploads/_/originals/. The vulnerability stems from a configuration option that can make the file collection non-public, but this...

CVE-2019-13981

In Directus 7 API through 2.3.0, remote attackers can read image files via a direct request for a filename under the uploads//originals/ directory. This is related to a configuration option in which the file collection can be non-public, but this option does not apply to the thumbnailer...

CVE-2019-13982

Directus 7 Application before 7.7.0 is affected by a vulnerability in interfaces/markdown/input.vue where Markdown text is not sanitized before rendering a preview. This is the only detail provided across sources; no explicit exploit, impact, affected versions beyond

CVE-2019-13982

interfaces/markdown/input.vue in Directus 7 Application before 7.7.0 does not sanitize Markdown text before rendering a preview...

CVE-2019-13983

Directus 7 API before 2.2.2 is affected by insufficient anti-automation due to lack of CAPTCHA in core/Directus/Services/AuthService.php and endpoints/Auth.php. This creates a risk of automated login attempts (brute force). The evidence across multiple sources confirms the vulnerability in Direct...

CVE-2019-13983

Directus 7 API before 2.2.2 has insufficient anti-automation, as demonstrated by lack of a CAPTCHA in core/Directus/Services/AuthService.php and endpoints/Auth.php...

CVE-2019-13984

Directus 7 API before 2.3.0 fails to validate uploaded files; regardless of extension or MIME type there is a direct link to each uploaded file, accessible by unauthenticated users. Root cause: missing file validation in the upload flow, enabling access to uploaded content (as demonstrated by the...

CVE-2019-13984

Directus 7 API before 2.3.0 does not validate uploaded files. Regardless of the file extension or MIME type, there is a direct link to each uploaded file, accessible by unauthenticated users, as demonstrated by the EICAR Anti-Virus Test File...

Directus Suite CMS 7.0.15 Database Disclosure

Exploit Title : Directus Suite CMS 7.0.15 Database Disclosure Exploit Author Discovered By : KingSkrupellos Team : Cyberizm Digital Security Army Date : 02/04/2019 Vendor Homepage : directus.io Software Download Link : github.com/directus/directus/archive/master.zip Software Information Link :...

Directus Elevation of Privilege Vulnerability

Directus is a content management system CMS. A security vulnerability exists in Directus version 6.4.9 that stems from the use of a hard-coded password: admin for the Admin account, which can be exploited by an attacker to elevate privileges...

Hardcoded credentials

Directus 6.4.9 has a hardcoded admin password for the Admin account because of an INSERT statement in api/schema.sql...

CVE-2018-10723

Directus 6.4.9 has a hardcoded admin password for the Admin account because of an INSERT statement in api/schema.sql...

CVE-2018-10723

Directus 6.4.9 has a hardcoded admin password for the Admin account because of an INSERT statement in api/schema.sql...

CVE-2018-10723

Directus 6.4.9 has a hardcoded admin password for the Admin account because of an INSERT statement in api/schema.sql...

CVE-2018-10723

Directus 6.4.9 contains a hardcoded admin password for the Admin account caused by an INSERT in api/schema.sql. Multiple sources (CNVD-2018-09196, NVD CVE-2018-10723, OSV, PRION) describe this as an elevation of privilege/vector involving a hardcoded credential, enabling potential administrator a...