CVE-2024-39701

Directus is a real-time API and App dashboard for managing SQL database content. Directus =9.23.0, =v10.5.3 improperly handles in, nin operators. It evaluates empty arrays as valid so expressions like "role": "in": $CURRENTUSER.somefield would evaluate to true allowing the request to pass. This...

CVE-2024-27296 Directus version number disclosure

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 10.8.3, the exact Directus version number was being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can trivially look for known...

CVE-2024-27296

CVE-2024-27296 affects Directus: prior to 10.8.3, the exact Directus version is shipped in compiled JS bundles accessible without authentication, enabling attackers to map to known vulnerabilities in Directus core or dependencies. The issue has been fixed in 10.8.3 and later. Remediation is upgra...

CVE-2024-27295

Directus vulnerability CVE-2024-27295: the password reset flow can be abused due to accent-insensitive and case-insensitive comparisons in MySQL/MariaDB, enabling an attacker to request a reset for a victim’s account by using a near-identical email address (with accented characters). The issue af...

CVE-2023-45820 Directus crashes on invalid WebSocket message

Directus is a real-time API and App dashboard for managing SQL database content. In affected versions any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. A malicious user could leverage this bug to crash Directus. This issue has...

CVE-2023-38503

Directus (real-time API/dashboard for SQL data) has an authentication/authorization flaw in GraphQL subscriptions. From version 10.3.0 up to, but not including, 10.5.0, permission filters like user_created IS $CURRENT_USER are not properly enforced for subscription events, allowing unauthorized u...

CVE-2023-28443

CVE-2023-28443 affects Directus before version 9.23.3, where the token directus_refresh_token is not redacted in logs, enabling potential user impersonation. The root cause is improper token redaction in log output, leading to sensitive data exposure via logging. The vulnerability requires access...

CVE-2023-27481

CVE-2023-27481—Directus password-hash exposure risk : Directus prior to 9.16.0 allowed users with read access to the password field in directus_users to enumerate argon2 password hashes by abusing the export function with a _starts_with filter. The root cause is a permissive filtering path on has...

CVE-2023-26492

Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to /files/import), exploitable via DNS rebinding to bypass IP deny lists and access sensitive internal data. Affected versions include Directus prior to 9.23.0 (e.g.,

CVE-2022-24814

Directus XSS in Rich Text HTML interface: prior to v9.7.0, an iframe that links to an uploaded HTML file can load a second uploaded JS file, bypassing CSP and allowing arbitrary JS execution. Root cause: unsafe handling of embedded JS via WYSIWYG content. Impact: unauthorized JS execution within ...

Another Facebook hack exposes primary email address facebook users

Last week we explained a critical vulnerability in Facebook that discloses the primary email address of facebook user. Later the bug was patched by Facebook Security Team. Today another similar interesting Facebook hack disclosed by another bug hunter, Roy Castillo. On his blog he explained a new...