Insecure Defaults

2022-04-0705:25:43

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.002 Low

EPSS

Percentile

55.7%

JSON

directus is using insecure defaults. The use of default CORS settings in the Record function of env.ts which are very permissive for uncontrolled environments allows an attacker to access unauthorized resources in the system.

CPENameOperatorVersion
directusle9.6.0
directusle9.6.0

CPE	Name	Operator	Version
	directus	le	9.6.0
	directus	le	9.6.0

References

developer.mozilla.org/en-US/docs/Web/HTTP/CORS

github.com/advisories/GHSA-g27j-74fp-xfpr

github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md

github.com/directus/directus/commit/826404bcbe769f9bcd526baec41e696237b78ebb

github.com/directus/directus/pull/12022

github.com/directus/directus/releases/tag/v9.7.0

0.002 Low

EPSS

Percentile

55.7%

JSON

Related for VERACODE:35005