directus 0.1.0-preview.11

Direct Vulnerabilities

Known vulnerabilities in the directus package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Open Redirect directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Open Redirect via the `redirect` parameter on the `/admin/tfa-setup` page. An attacker can redirect users to an external, attacker-controlled URL by crafting a malicious link and tricking an administrator into visiting it after completing the two-factor authentication setup process. How to fix Open Redirect? Upgrade `directus` to version 11.16.1 or higher.	<11.16.1
H Incorrect Authorization directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Incorrect Authorization in the `TUS` upload process. An attacker can overwrite arbitrary files and corrupt metadata by uploading files with the UUID of existing files, bypassing item-level access controls. This can lead to permanent data loss, unauthorized modification of files, and potential privilege escalation if sensitive files are replaced. How to fix Incorrect Authorization? Upgrade `directus` to version 11.16.1 or higher.	<11.16.1
H Cleartext Storage of Sensitive Information directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in the process that stores revision records and logs flow operation payloads, where sensitive fields are not properly sanitized or redacted. An attacker can gain unauthorized access to confidential information, such as authentication tokens, two-factor authentication secrets, external identifiers, credentials, and API keys, by reading unredacted data from revision records or flow logs. How to fix Cleartext Storage of Sensitive Information? Upgrade `directus` to version 11.17.0 or higher.	<11.17.0
H Incorrect Authorization directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Incorrect Authorization in the aggregate query process when applying `min` or `max` functions to fields marked as concealed. An attacker can retrieve sensitive concealed field values, such as static API tokens and two-factor authentication secrets, by issuing aggregate queries with `groupBy` as an authenticated user with read access to the affected collection. How to fix Incorrect Authorization? Upgrade `directus` to version 11.17.0 or higher.	<11.17.0
H Server-side Request Forgery (SSRF) directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the file import process due to improper normalization of IPv4-mapped IPv6 addresses. An attacker can access internal network resources by supplying specially crafted IP address formats that bypass deny-list validation. This is only exploitable if public file-import permissions are enabled. How to fix Server-side Request Forgery (SSRF)? Upgrade `directus` to version 11.16.0 or higher.	<11.16.0
H Improperly Controlled Modification of Dynamically-Determined Object Attributes directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the `filename_disk` parameter in the file management API. An attacker can overwrite files belonging to other users, write files outside intended storage boundaries, and potentially execute arbitrary code by manipulating this parameter in file upload or update requests. How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes? Upgrade `directus` to version 11.17.0 or higher.	<11.17.0
H Allocation of Resources Without Limits or Throttling directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the GraphQL `resolver` process. An attacker can exhaust server resources and cause service degradation or outage by submitting a single request containing numerous aliases that trigger repeated execution of expensive relational queries. This is only exploitable if rate limiting is disabled. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `directus` to version 11.17.0 or higher.	<11.17.0
C Protection Mechanism Failure directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Protection Mechanism Failure in the handling of Single Sign-On login pages due to the absence of the `Cross-Origin-Opener-Policy` HTTP response header. An attacker can gain unauthorized access to authentication provider accounts by opening the login page in a malicious cross-origin window and intercepting or redirecting the OAuth authorization flow. How to fix Protection Mechanism Failure? Upgrade `directus` to version 11.17.0 or higher.	<11.17.0
H Allocation of Resources Without Limits or Throttling directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `health check resolver` process. An attacker can exhaust system resources, leading to service degradation or outage, by sending a single unauthenticated GraphQL request that repeatedly invokes the resolver using multiple aliases. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `directus` to version 11.17.0 or higher.	<11.17.0
M Information Exposure directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Information Exposure via the `server_specs_graphql` resolver on the `/graphql/system` endpoint, which returns an SDL representation of the schema even when introspection is disabled. An attacker can obtain sensitive schema structure information by sending requests to this endpoint without authentication. This is only exploitable if the `GRAPHQL_INTROSPECTION` setting is set to false. How to fix Information Exposure? Upgrade `directus` to version 11.16.1 or higher.	<11.16.1
M Open Redirect directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Open Redirect via the `isLoginRedirectAllowed` function during the authentication flow. An attacker can redirect users to arbitrary external domains by crafting URLs with malformed path segments that bypass server-side validation but are interpreted as external by browsers. This can lead to users being redirected to attacker-controlled sites after authentication, potentially resulting in phishing or credential theft. How to fix Open Redirect? Upgrade `directus` to version 11.16.1 or higher.	<11.16.1
M Improper Privilege Management directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Improper Privilege Management via the `Share` feature. An attacker can escalate privileges and access data or functionalities that are normally restricted by specifying an arbitrary role during the item sharing process. This is only exploitable if the instance uses the share feature and has specific roles hierarchy and fields that are not visible for certain roles. How to fix Improper Privilege Management? Upgrade `directus` to version 11.2.0 or higher.	<11.2.0
M Cross-site Scripting (XSS) directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the `layout_options` due to improper user input sanitization in the `setContent` function. An attacker can execute arbitrary scripts in the context of the user's session by injecting malicious JavaScript into unsanitized DOM elements that are subsequently rendered by the client. This is only exploitable if the attacker has permissions to modify or create presets for other users or can chain with another vulnerability to escalate privileges. How to fix Cross-site Scripting (XSS)? Upgrade `directus` to version 11.3.3 or higher.	<11.3.3
M Authorization Bypass Through User-Controlled Key directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the `PATCH /presets` endpoint when the application only validates the user parameter in the `POST /presets` request but not in the `PATCH request`. An attacker can modify presets created by the same user to assign them to another user by sending a crafted PATCH request with the victim's user ID. This is only exploitable if the attacker has valid authentication credentials and can access the preset ID. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `directus` to version 10.13.2 or higher.	<10.13.2
M Authorization Bypass Through User-Controlled Key directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the `POST /presets` and PATCH requests. An authenticated attacker can modify presets created by the same user to assign them to another user by exploiting the lack of validation for the user parameter in the PATCH request. Note: When chained with CVE-2024-6533, it could result in account takeover. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `directus` to version 10.13.2 or higher.	<10.13.2
M Cross-site Scripting (XSS) directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via an attacker-controlled parameter that is stored on the server and subsequently used unsanitized in a DOM element. An attacker can execute arbitrary JavaScript on the client by injecting malicious code into this parameter. Note: When chained with CVE-2024-6534, it could result in account takeover. How to fix Cross-site Scripting (XSS)? Upgrade `directus` to version 11.3.3 or higher.	<11.3.3
L Server-Side Request Forgery (SSRF) directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) due to improper check when importing file from the URL and the result URL. An attacker can execute unauthorized requests to internal network resources by manipulating URL redirects during the file import operation. How to fix Server-Side Request Forgery (SSRF)? Upgrade `directus` to version 10.9.3 or higher.	<10.9.3
H Resource Exhaustion directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Resource Exhaustion through the `/graphql` endpoint. An attacker can cause the server to perform redundant computations and consume excessive resources. How to fix Resource Exhaustion? Upgrade `directus` to version 10.12.0 or higher.	<10.12.0
H Improper Check for Unusual or Exceptional Conditions directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions through the random string generation utility. An attacker can disrupt the service by providing a non-numeric length value, which leads to a memory issue that prevents the generation of random strings, affecting session refresh capabilities. How to fix Improper Check for Unusual or Exceptional Conditions? Upgrade `directus` to version 10.11.2 or higher.	<10.11.2
M Information Exposure directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Information Exposure through the `alias` functionality. An attacker can access sensitive data by manipulating the API request parameters. Notes: This is only exploitable if the user has permissions to view any collection using redacted hashed fields. Steps to reproduce: Set up a simple role with read-access to users. Create a new user with the role from the previous step Assign a password to the user To confirm this vulnerability, visit `/users/me`. You should be presented with a redacted JSON-object. Next, visit `/users/me?alias[hash]=password`. This time, the returned JSON object will included the raw password hash instead of the redacted value. How to fix Information Exposure? Upgrade `directus` to version 10.11.0 or higher.	<10.11.0
M URL Redirection to Untrusted Site ('Open Redirect') directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to URL Redirection to Untrusted Site ('Open Redirect') via the `redirect` parameter in the authentication API. An attacker can redirect users to an untrusted site after successful login, potentially leading to phishing attacks by presenting a malicious site that mimics an error message to deceive users into providing sensitive information. How to fix URL Redirection to Untrusted Site ('Open Redirect')? Upgrade `directus` to version 10.10.0 or higher.	<10.10.0
L Information Exposure Through Sent Data directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Information Exposure Through Sent Data via the process of reaching the `/files` page where a JWT is passed through a GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places such as web server logs and browser history. Attackers gaining access to these logs may hijack active user sessions, leading to unauthorized access to sensitive information or actions on behalf of the user. How to fix Information Exposure Through Sent Data? Upgrade `directus` to version 10.10.0 or higher.	<10.10.0
M Always-Incorrect Control Flow Implementation directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to the password reset mechanism implementation combined with default database configurations in MySQL and MariaDB. This allows attackers in possession of a known good email address to redirect a password reset email intended for a victim by registering a similar email address with alternative characters that are considered equivalent to the same ones as characters in the stored email address, by the database engine. The API uses the supplied email address for sending the reset password mail instead of the email address from the database. How to fix Always-Incorrect Control Flow Implementation? Upgrade `directus` to version 10.8.3 or higher.	<10.8.3
M Exposure of Sensitive Information Through Metadata directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Metadata in the form of the version number, which is included in compiled JS bundles that are accessible without authentication. How to fix Exposure of Sensitive Information Through Metadata? Upgrade `directus` to version 10.8.3 or higher.	<10.8.3
M Information Exposure directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Information Exposure when users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute-forcing the export functionality combined with a `_starts_with` filter. This allows the user to enumerate the password hashes. How to fix Information Exposure? Upgrade `directus` to version 9.16.0 or higher.	<9.16.0
H Cross-site Scripting (XSS) directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) by allowing attackers to email users URLs to the servers domain but which may contain malicious code. How to fix Cross-site Scripting (XSS)? Upgrade `directus` to version 9.23.1 or higher.	<9.23.1
M Server-Side Request Forgery directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Server-Side Request Forgery when importing a file from a remote web server (POST to `/files/import`). This is a bypass of CVE-2022-23080. How to fix Server-Side Request Forgery? Upgrade `directus` to version 9.23.1 or higher.	<9.23.1
M Access Restriction Bypass directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Access Restriction Bypass by having an authorized user update the `filename_disk` value to a folder and accessing that file through the `/assets` endpoint. How to fix Access Restriction Bypass? Upgrade `directus` to version 9.15.0 or higher.	<9.15.0
H Insecure Defaults directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Insecure Defaults via the default value for the `CORS_ENABLED` and `CORS_ORIGIN` configuration, which was set to be very permissive. How to fix Insecure Defaults? Upgrade `directus` to version 9.7.0 or higher.	<9.7.0
M Cross-site Scripting (XSS) directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) by inserting an `iframe` into the rich text `HTML` interface that links to a file uploaded `HTML` file that loads another uploaded `JS` file in its script tag. How to fix Cross-site Scripting (XSS)? Upgrade `directus` to version 9.7.0 or higher.	<9.7.0

Vulnerability

Vulnerable Version

Open Redirect

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Open Redirect via the redirect parameter on the /admin/tfa-setup page. An attacker can redirect users to an external, attacker-controlled URL by crafting a malicious link and tricking an administrator into visiting it after completing the two-factor authentication setup process.

How to fix Open Redirect?

Upgrade directus to version 11.16.1 or higher.

<11.16.1

Incorrect Authorization

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Incorrect Authorization in the TUS upload process. An attacker can overwrite arbitrary files and corrupt metadata by uploading files with the UUID of existing files, bypassing item-level access controls. This can lead to permanent data loss, unauthorized modification of files, and potential privilege escalation if sensitive files are replaced.

How to fix Incorrect Authorization?

Upgrade directus to version 11.16.1 or higher.

<11.16.1

Cleartext Storage of Sensitive Information

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in the process that stores revision records and logs flow operation payloads, where sensitive fields are not properly sanitized or redacted. An attacker can gain unauthorized access to confidential information, such as authentication tokens, two-factor authentication secrets, external identifiers, credentials, and API keys, by reading unredacted data from revision records or flow logs.

How to fix Cleartext Storage of Sensitive Information?

Upgrade directus to version 11.17.0 or higher.

<11.17.0

Incorrect Authorization

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Incorrect Authorization in the aggregate query process when applying min or max functions to fields marked as concealed. An attacker can retrieve sensitive concealed field values, such as static API tokens and two-factor authentication secrets, by issuing aggregate queries with groupBy as an authenticated user with read access to the affected collection.

How to fix Incorrect Authorization?

Upgrade directus to version 11.17.0 or higher.

<11.17.0

Server-side Request Forgery (SSRF)

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the file import process due to improper normalization of IPv4-mapped IPv6 addresses. An attacker can access internal network resources by supplying specially crafted IP address formats that bypass deny-list validation. This is only exploitable if public file-import permissions are enabled.

How to fix Server-side Request Forgery (SSRF)?

Upgrade directus to version 11.16.0 or higher.

<11.16.0

Improperly Controlled Modification of Dynamically-Determined Object Attributes

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the filename_disk parameter in the file management API. An attacker can overwrite files belonging to other users, write files outside intended storage boundaries, and potentially execute arbitrary code by manipulating this parameter in file upload or update requests.

How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes?

Upgrade directus to version 11.17.0 or higher.

<11.17.0

Allocation of Resources Without Limits or Throttling

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the GraphQL resolver process. An attacker can exhaust server resources and cause service degradation or outage by submitting a single request containing numerous aliases that trigger repeated execution of expensive relational queries. This is only exploitable if rate limiting is disabled.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade directus to version 11.17.0 or higher.

<11.17.0

Protection Mechanism Failure

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Protection Mechanism Failure in the handling of Single Sign-On login pages due to the absence of the Cross-Origin-Opener-Policy HTTP response header. An attacker can gain unauthorized access to authentication provider accounts by opening the login page in a malicious cross-origin window and intercepting or redirecting the OAuth authorization flow.

How to fix Protection Mechanism Failure?

Upgrade directus to version 11.17.0 or higher.

<11.17.0

Allocation of Resources Without Limits or Throttling

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the health check resolver process. An attacker can exhaust system resources, leading to service degradation or outage, by sending a single unauthenticated GraphQL request that repeatedly invokes the resolver using multiple aliases.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade directus to version 11.17.0 or higher.

<11.17.0

Information Exposure

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Information Exposure via the server_specs_graphql resolver on the /graphql/system endpoint, which returns an SDL representation of the schema even when introspection is disabled. An attacker can obtain sensitive schema structure information by sending requests to this endpoint without authentication. This is only exploitable if the GRAPHQL_INTROSPECTION setting is set to false.

How to fix Information Exposure?

Upgrade directus to version 11.16.1 or higher.

<11.16.1

Open Redirect

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Open Redirect via the isLoginRedirectAllowed function during the authentication flow. An attacker can redirect users to arbitrary external domains by crafting URLs with malformed path segments that bypass server-side validation but are interpreted as external by browsers. This can lead to users being redirected to attacker-controlled sites after authentication, potentially resulting in phishing or credential theft.

How to fix Open Redirect?

Upgrade directus to version 11.16.1 or higher.

<11.16.1

Improper Privilege Management

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Improper Privilege Management via the Share feature. An attacker can escalate privileges and access data or functionalities that are normally restricted by specifying an arbitrary role during the item sharing process. This is only exploitable if the instance uses the share feature and has specific roles hierarchy and fields that are not visible for certain roles.

How to fix Improper Privilege Management?

Upgrade directus to version 11.2.0 or higher.

<11.2.0

Cross-site Scripting (XSS)

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the layout_options due to improper user input sanitization in the setContent function. An attacker can execute arbitrary scripts in the context of the user's session by injecting malicious JavaScript into unsanitized DOM elements that are subsequently rendered by the client. This is only exploitable if the attacker has permissions to modify or create presets for other users or can chain with another vulnerability to escalate privileges.

How to fix Cross-site Scripting (XSS)?

Upgrade directus to version 11.3.3 or higher.

<11.3.3

Authorization Bypass Through User-Controlled Key

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the PATCH /presets endpoint when the application only validates the user parameter in the POST /presets request but not in the PATCH request. An attacker can modify presets created by the same user to assign them to another user by sending a crafted PATCH request with the victim's user ID. This is only exploitable if the attacker has valid authentication credentials and can access the preset ID.

How to fix Authorization Bypass Through User-Controlled Key?

Upgrade directus to version 10.13.2 or higher.

<10.13.2

Authorization Bypass Through User-Controlled Key

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the POST /presets and PATCH requests. An authenticated attacker can modify presets created by the same user to assign them to another user by exploiting the lack of validation for the user parameter in the PATCH request.

Note:

When chained with CVE-2024-6533, it could result in account takeover.

How to fix Authorization Bypass Through User-Controlled Key?

Upgrade directus to version 10.13.2 or higher.

<10.13.2

Cross-site Scripting (XSS)

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via an attacker-controlled parameter that is stored on the server and subsequently used unsanitized in a DOM element. An attacker can execute arbitrary JavaScript on the client by injecting malicious code into this parameter.

Note:

When chained with CVE-2024-6534, it could result in account takeover.

How to fix Cross-site Scripting (XSS)?

Upgrade directus to version 11.3.3 or higher.

<11.3.3

Server-Side Request Forgery (SSRF)

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) due to improper check when importing file from the URL and the result URL. An attacker can execute unauthorized requests to internal network resources by manipulating URL redirects during the file import operation.

How to fix Server-Side Request Forgery (SSRF)?

Upgrade directus to version 10.9.3 or higher.

<10.9.3

Resource Exhaustion

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Resource Exhaustion through the /graphql endpoint. An attacker can cause the server to perform redundant computations and consume excessive resources.

How to fix Resource Exhaustion?

Upgrade directus to version 10.12.0 or higher.

<10.12.0

Improper Check for Unusual or Exceptional Conditions

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions through the random string generation utility. An attacker can disrupt the service by providing a non-numeric length value, which leads to a memory issue that prevents the generation of random strings, affecting session refresh capabilities.

How to fix Improper Check for Unusual or Exceptional Conditions?

Upgrade directus to version 10.11.2 or higher.

<10.11.2

Information Exposure

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Information Exposure through the alias functionality. An attacker can access sensitive data by manipulating the API request parameters.

Notes:

This is only exploitable if the user has permissions to view any collection using redacted hashed fields.

Steps to reproduce:

Set up a simple role with read-access to users.
Create a new user with the role from the previous step
Assign a password to the user

To confirm this vulnerability, visit /users/me. You should be presented with a redacted JSON-object. Next, visit /users/me?alias[hash]=password. This time, the returned JSON object will included the raw password hash instead of the redacted value.

How to fix Information Exposure?

Upgrade directus to version 10.11.0 or higher.

<10.11.0

URL Redirection to Untrusted Site ('Open Redirect')

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to URL Redirection to Untrusted Site ('Open Redirect') via the redirect parameter in the authentication API. An attacker can redirect users to an untrusted site after successful login, potentially leading to phishing attacks by presenting a malicious site that mimics an error message to deceive users into providing sensitive information.

How to fix URL Redirection to Untrusted Site ('Open Redirect')?

Upgrade directus to version 10.10.0 or higher.

<10.10.0

Information Exposure Through Sent Data

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Information Exposure Through Sent Data via the process of reaching the /files page where a JWT is passed through a GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places such as web server logs and browser history. Attackers gaining access to these logs may hijack active user sessions, leading to unauthorized access to sensitive information or actions on behalf of the user.

How to fix Information Exposure Through Sent Data?

Upgrade directus to version 10.10.0 or higher.

<10.10.0

Always-Incorrect Control Flow Implementation

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to the password reset mechanism implementation combined with default database configurations in MySQL and MariaDB. This allows attackers in possession of a known good email address to redirect a password reset email intended for a victim by registering a similar email address with alternative characters that are considered equivalent to the same ones as characters in the stored email address, by the database engine. The API uses the supplied email address for sending the reset password mail instead of the email address from the database.

How to fix Always-Incorrect Control Flow Implementation?

Upgrade directus to version 10.8.3 or higher.

<10.8.3

Exposure of Sensitive Information Through Metadata

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Metadata in the form of the version number, which is included in compiled JS bundles that are accessible without authentication.

How to fix Exposure of Sensitive Information Through Metadata?

Upgrade directus to version 10.8.3 or higher.

<10.8.3

Information Exposure

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Information Exposure when users with read access to the password field in directus_users can extract the argon2 password hashes by brute-forcing the export functionality combined with a _starts_with filter. This allows the user to enumerate the password hashes.

How to fix Information Exposure?

Upgrade directus to version 9.16.0 or higher.

<9.16.0

Cross-site Scripting (XSS)

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) by allowing attackers to email users URLs to the servers domain but which may contain malicious code.

How to fix Cross-site Scripting (XSS)?

Upgrade directus to version 9.23.1 or higher.

<9.23.1

Server-Side Request Forgery

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Server-Side Request Forgery when importing a file from a remote web server (POST to /files/import). This is a bypass of CVE-2022-23080.

How to fix Server-Side Request Forgery?

Upgrade directus to version 9.23.1 or higher.

<9.23.1

Access Restriction Bypass

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Access Restriction Bypass by having an authorized user update the filename_disk value to a folder and accessing that file through the /assets endpoint.

How to fix Access Restriction Bypass?

Upgrade directus to version 9.15.0 or higher.

<9.15.0

Insecure Defaults

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Insecure Defaults via the default value for the CORS_ENABLED and CORS_ORIGIN configuration, which was set to be very permissive.

How to fix Insecure Defaults?

Upgrade directus to version 9.7.0 or higher.

<9.7.0

Cross-site Scripting (XSS)

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) by inserting an iframe into the rich text HTML interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag.

How to fix Cross-site Scripting (XSS)?

Upgrade directus to version 9.7.0 or higher.

<9.7.0

directus@0.1.0-preview.11

Directus is a real-time API and App dashboard for managing SQL database content

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically