Lucene search
K

57 matches found

OSV
OSV
added 2025/07/15 3:28 p.m.2 views

GHSA-F24X-RM6G-3W5V Directus tokens are not redacted in flow logs, exposing session credentials to all admin

Summary When using Directus Flows with the WebHook trigger, all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Impact Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them...

4.5CVSS6.2AI score0.00387EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2025/07/15 3:28 p.m.10 views

Directus tokens are not redacted in flow logs, exposing session credentials to all admin

Summary When using Directus Flows with the WebHook trigger, all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Impact Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them...

4.5CVSS6.3AI score0.00387EPSS
Exploits0References5Affected Software1
RedhatCVE
RedhatCVE
added 2025/05/23 12:4 a.m.7 views

CVE-2022-25185

Jenkins Generic Webhook Trigger Plugin 1.81 and earlier does not escape the build cause when using the webhook, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

5.4CVSS5.5AI score0.00648EPSS
Exploits0References1
Veracode
Veracode
added 2025/04/04 4:51 a.m.14 views

Sensitive Information Disclosure

Directus is vulnerable to information disclosure. The vulnerability is due to improper error handling due to sensitive data being exposed in API responses when a ValidationError is triggered in flows using the "Webhook" trigger and "Data of Last Operation" response body...

8.6CVSS6.5AI score0.00505EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2025/03/26 8:8 p.m.18 views

GHSA-FM3H-P9WM-H74H Directus's webhook trigger flows can leak sensitive data

Describe the Bug In Directus, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user...

8.6CVSS6.4AI score0.00505EPSS
Exploits1References3
CVE
CVE
added 2025/03/26 5:26 p.m.111 views

CVE-2025-30353

Directus vulnerability (CVE-2025-30353): In Directus, flows using the Webhook trigger with the Data of Last Operation response can disclose sensitive data when a ValidationError occurs. Affected versions are 9.12.0 up to, but not including, 11.5.0. The exposure includes environment variables, API...

8.6CVSS7.6AI score0.00505EPSS
Exploits1References1Affected Software1
Positive Technologies
Positive Technologies
added 2025/03/26 12:0 a.m.5 views

PT-2025-12984 · Directus · Directus

Name of the Vulnerable Software and Affected Versions: Directus versions 9.12.0 through 11.4.0 Description: Directus is a real-time API and App dashboard for managing SQL database content. When a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a...

8.6CVSS6.6AI score0.00505EPSS
Exploits1References19
CNNVD
CNNVD
added 2025/03/26 12:0 a.m.3 views

Directus 信息泄露漏洞

Directus is a real-time Api and application dashboard open-sourced by Directus. It is used to manage Sql database content. An information disclosure vulnerability exists in Directus versions prior to 9.12.0 through 11.5.0, which stems from a Webhook trigger that could lead to the disclosure of...

8.6CVSS5.7AI score0.00505EPSS
Exploits1References2
BDU FSTEC
BDU FSTEC
added 2023/10/30 12:0 a.m.6 views

The vulnerability of the Jenkins MSTeams Webhook Trigger Plugin, related to the disclosure of information, allows a malicious actor to gain unauthorized access to protected information.

The vulnerability of the Jenkins MSTeams Webhook Trigger Plugin is related to the disclosure of information. Exploiting this vulnerability could allow a malicious actor, operating remotely, to gain unauthorized access to protected information...

3.7CVSS5.9AI score0.00569EPSS
Exploits0References6Affected Software1
BDU FSTEC
BDU FSTEC
added 2023/10/30 12:0 a.m.7 views

The vulnerability of the Jenkins Multibranch Scan Webhook Trigger Plugin, related to the disclosure of information, allows a perpetrator to gain unauthorized access to protected information.

The vulnerability of the Jenkins Multibranch Scan Webhook Trigger Plugin is related to the disclosure of information. Exploiting this vulnerability could allow a malicious actor to gain unauthorized access to protected information...

3.7CVSS5.9AI score0.00557EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2023/10/25 6:32 p.m.13 views

GHSA-2XPQ-5952-38W3 Jenkins MSTeams Webhook Trigger Plugin uses non-constant time webhook token comparison

Jenkins MSTeams Webhook Trigger Plugin 0.1.1 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this...

3.7CVSS5.5AI score0.00569EPSS
Exploits0References4
OSV
OSV
added 2023/10/25 6:17 p.m.6 views

CVE-2023-46656

Jenkins Multibranch Scan Webhook Trigger Plugin 1.0.9 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token...

5.3CVSS5.8AI score0.00557EPSS
Exploits0References2
CVE
CVE
added 2023/10/25 1:45 p.m.58 views

CVE-2023-46658

CVE-2023-46658 affects Jenkins MSTeams Webhook Trigger Plugin (versions 0.1.1 and earlier). The root cause is a non-constant time comparison when verifying the webhook token, which could enable attackers to use statistical methods to deduce a valid token. Public references (GHSA/NVD) describe the...

5.3CVSS5.1AI score0.00569EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2023/10/25 1:45 p.m.69 views

CVE-2023-46656

CVE-2023-46656 affects Jenkins Multibranch Scan Webhook Trigger Plugin versions 1.0.9 and earlier. The root cause is a non-constant time comparison when verifying the webhook token, which can enable attackers to use statistical methods to determine a valid token. Public references (including Red ...

5.3CVSS5.1AI score0.00557EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2023/10/25 1:45 p.m.12 views

CVE-2023-46656

Jenkins Multibranch Scan Webhook Trigger Plugin 1.0.9 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token...

6.9AI score0.00557EPSS
Exploits0References2
CNNVD
CNNVD
added 2023/10/25 12:0 a.m.3 views

Jenkins Plugin MSTeams Webhook Trigger Security Vulnerability

Jenkins and Jenkins Plugin are both Jenkins open source products.Jenkins is a software application . An open source automation server Jenkins provides hundreds of plugins to support building, deploying, and automating any project.Jenkins Plugin is a software application. A security vulnerability...

5.3CVSS6.6AI score0.00569EPSS
Exploits0References3
CNNVD
CNNVD
added 2023/10/25 12:0 a.m.3 views

Jenkins Plugin Multibranch Scan Webhook Trigger Security Vulnerability

Jenkins and Jenkins Plugin are both Jenkins open source products.Jenkins is a software application . An open source automation server Jenkins provides hundreds of plugins to support building, deploying and automating any project.Jenkins Plugin is a software application. A security vulnerability...

5.3CVSS6.6AI score0.00557EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2023/10/25 12:0 a.m.5 views

PT-2023-6545 · Jenkins · Jenkins Msteams Webhook Trigger Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins MSTeams Webhook Trigger Plugin versions 0.1.1 and earlier Description: The issue is related to information disclosure. It may allow a remote attacker to gain unauthorized access to protected information. The problem lies in the...

5.3CVSS5.1AI score0.00569EPSS
Exploits0References10
Check Point Advisories
Check Point Advisories
added 2022/11/24 12:0 a.m.11 views

Jenkins Generic Webhook Trigger Plugin External Entity Injection (CVE-2021-21669)

An XXE vulnerability exists in Jenkins Generic Webhook Trigger Plugin. The vulnerability is due to insufficient validation of input parameters. Successful exploitation could lead to the disclosure of file contents for any file readable by Jenkins...

7.5CVSS3.2AI score0.25746EPSS
Exploits0
CVE
CVE
added 2022/10/19 12:0 a.m.80 views

CVE-2022-43412

CVE-2022-43412 affects Jenkins Generic Webhook Trigger Plugin (versions 1.84.1 and earlier). The vulnerability stems from a non-constant time comparison when validating the provided webhook token against the expected token, which could enable attackers to infer a valid token via statistical metho...

5.3CVSS5.1AI score0.00501EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder