4 matches found
@altipla/directus-sdk-utils (=0.7.2), @depup/directus (>=11.16.1-depup.0 <=11.17.2-depup.0) +8 more potentially affected by CVE-2025-24353 via directus (>=10.10.0 <=11.1.2)
directus NPM version =10.10.0, =11.16.1-depup.0, =15.0.0, =1.2.2, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 - lease-directus-template =0.0.0 Source cves: CVE-2025-24353 Source advisory: OSV:GHSA-PMF4-V838-29HG...
CVE-2025-24353
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.2.0, when sharing an item, a typical user can specify an arbitrary role. It allows the user to use a higher-privileged role to see fields that otherwise the user should not be able to see. Instanc...
CVE-2025-24353 Directus privilege escalation vulnerability using Share feature
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.2.0, when sharing an item, a typical user can specify an arbitrary role. It allows the user to use a higher-privileged role to see fields that otherwise the user should not be able to see. Instanc...
CVE-2025-24353
Directus prior to version 11.2.0 is vulnerable to privilege escalation via the share feature. A user can specify an arbitrary role when sharing an item, enabling access to fields that should be restricted for their role. Affected instances are those using the share feature with a role hierarchy a...