2 matches found
CVE-2021-26593
In Directus 8.x through 8.8.1, an attacker can see all users in the CMS using the API /users/id. For each call, they get in response a lot of information about the user such as email address, first name, and last name but also the secret for 2FA if one exists. This secret can be regenerated. NOTE...
CVE-2021-26593
CVE-2021-26593 affects Directus 8.x–8.8.1, where the API endpoint /users/{id} can disclose extensive user data (email, first name, last name) and the 2FA secret, which can be regenerated. Root cause: exposure via an unauthorized or overly permissive user lookup that returns sensitive fields. Impa...