Lucene search

K

16 matches found

CVE
CVE
added 2023/03/03 10:15 p.m.109 views

CVE-2023-26492

Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to /files/import). An attacker can bypass the security controls by performing a DNS rebinding attack and...

7.5CVSS6.5AI score0.00052EPSS
CVE
CVE
added 2024/03/01 4:15 p.m.105 views

CVE-2024-27295

Directus is a real-time API and App dashboard for managing SQL database content. The password reset mechanism of the Directus backend allows attackers to receive a password reset email of a victim user, specifically having it arrive at a similar email address as the victim with a one or more charac...

8.2CVSS8.3AI score0.00675EPSS
CVE
CVE
added 2024/03/01 4:15 p.m.105 views

CVE-2024-27296

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 10.8.3, the exact Directus version number was being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can trivially look for known v...

5.3CVSS5.5AI score0.00334EPSS
CVE
CVE
added 2024/03/12 9:15 p.m.92 views

CVE-2024-28238

Directus is a real-time API and App dashboard for managing SQL database content. When reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places (e.g., web server logs, browser history). Attackers g...

2.3CVSS3.7AI score0.00088EPSS
CVE
CVE
added 2024/03/12 9:15 p.m.92 views

CVE-2024-28239

Directus is a real-time API and App dashboard for managing SQL database content. The authentication API has a redirect parameter that can be exploited as an open redirect vulnerability as the user tries to log in via the API URL. There's a redirect that is done after successful login via the Auth A...

5.4CVSS5.8AI score0.00229EPSS
Web
CVE
CVE
added 2024/10/08 6:15 p.m.91 views

CVE-2024-47822

Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are potentially exposed in system logs which may be persisted. The access token in req.query is not redacted when the LOG_STYLE is set to raw. If these logs are not...

4.2CVSS4.9AI score0.00035EPSS
CVE
CVE
added 2022/12/26 6:15 a.m.88 views

CVE-2022-26969

In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.

9.8CVSS9.4AI score0.00144EPSS
CVE
CVE
added 2023/03/24 12:15 a.m.88 views

CVE-2023-28443

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the directus_refresh_token is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3.

5.5CVSS5AI score0.00036EPSS
CVE
CVE
added 2024/07/08 5:15 p.m.79 views

CVE-2024-39895

Directus is a real-time API and App dashboard for managing SQL database content. A denial of service (DoS) attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single q...

6.5CVSS6.5AI score0.00821EPSS
CVE
CVE
added 2024/07/08 4:15 p.m.77 views

CVE-2024-39699

Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security measur...

5CVSS5.3AI score0.00083EPSS
CVE
CVE
added 2024/07/08 6:15 p.m.76 views

CVE-2024-39896

Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs to ...

7.5CVSS7.5AI score0.0051EPSS
CVE
CVE
added 2024/06/03 3:15 p.m.72 views

CVE-2024-36128

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of servi...

7.5CVSS7.4AI score0.00461EPSS
CVE
CVE
added 2024/05/14 3:39 p.m.67 views

CVE-2024-34708

Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the alias functionality on the API. Normally, these redacted fields will return ********** however ...

4.9CVSS6.7AI score0.00343EPSS
CVE
CVE
added 2024/05/14 3:39 p.m.66 views

CVE-2024-34709

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The directus_session gets destroyed and the cookie gets deleted but if the cookie value is c...

5.4CVSS5.6AI score0.00166EPSS
CVE
CVE
added 2022/08/19 9:15 p.m.55 views

CVE-2022-36031

Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the filename_disk value to a folder and accessing that file through the /assets endpoint. This vulnerability has been patched and release v9.15.0...

6.5CVSS6.5AI score0.00246EPSS
CVE
CVE
added 2023/03/07 7:15 p.m.45 views

CVE-2023-27481

Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the password field in directus_users can extract the argon2 password hashes by brute forcing the export functionality combined with a _starts_with filter. This allo...

4.3CVSS4.8AI score0.00213EPSS