directus@10.10.1 vulnerabilities

Directus is a real-time API and App dashboard for managing SQL database content

Direct Vulnerabilities

Known vulnerabilities in the directus package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Authorization Bypass Through User-Controlled Key

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the PATCH /presets endpoint when the application only validates the user parameter in the POST /presets request but not in the PATCH request. An attacker can modify presets created by the same user to assign them to another user by sending a crafted PATCH request with the victim's user ID. This is only exploitable if the attacker has valid authentication credentials and can access the preset ID.

How to fix Authorization Bypass Through User-Controlled Key?

Upgrade directus to version 10.13.2 or higher.

<10.13.2
  • M
Authorization Bypass Through User-Controlled Key

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the POST /presets and PATCH requests. An authenticated attacker can modify presets created by the same user to assign them to another user by exploiting the lack of validation for the user parameter in the PATCH request.

Note:

When chained with CVE-2024-6533, it could result in account takeover.

How to fix Authorization Bypass Through User-Controlled Key?

There is no fixed version for directus.

*
  • M
Cross-site Scripting (XSS)

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via an attacker-controlled parameter that is stored on the server and subsequently used unsanitized in a DOM element. An attacker can execute arbitrary JavaScript on the client by injecting malicious code into this parameter.

Note:

When chained with CVE-2024-6534, it could result in account takeover.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for directus.

*
  • H
Information Exposure

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Information Exposure due to the error handling mechanism when integrating SSO with local authentication. An attacker can determine if a user is registered with an SSO provider by attempting to authenticate with an email that is already linked to an SSO account, which triggers a specific error message.

How to fix Information Exposure?

Upgrade directus to version 10.13.0 or higher.

>=10.0.0 <10.13.0
  • H
Resource Exhaustion

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Resource Exhaustion through the /graphql endpoint. An attacker can cause the server to perform redundant computations and consume excessive resources.

How to fix Resource Exhaustion?

Upgrade directus to version 10.12.0 or higher.

<10.12.0
  • H
Improper Check for Unusual or Exceptional Conditions

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions through the random string generation utility. An attacker can disrupt the service by providing a non-numeric length value, which leads to a memory issue that prevents the generation of random strings, affecting session refresh capabilities.

How to fix Improper Check for Unusual or Exceptional Conditions?

Upgrade directus to version 10.11.2 or higher.

<10.11.2
  • M
Information Exposure

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Information Exposure through the alias functionality. An attacker can access sensitive data by manipulating the API request parameters.

Notes:

This is only exploitable if the user has permissions to view any collection using redacted hashed fields.

Steps to reproduce:

  1. Set up a simple role with read-access to users.

  2. Create a new user with the role from the previous step

  3. Assign a password to the user

To confirm this vulnerability, visit /users/me. You should be presented with a redacted JSON-object. Next, visit /users/me?alias[hash]=password. This time, the returned JSON object will included the raw password hash instead of the redacted value.

How to fix Information Exposure?

Upgrade directus to version 10.11.0 or higher.

<10.11.0
  • M
Insufficient Session Expiration

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Insufficient Session Expiration due to the improper handling of session tokens during logout. An attacker can maintain access using a captured session token by exploiting this behavior.

Notes:

Steps to reproduce:

  1. Copy the current session token from the cookie

  2. Refresh and or log out

  3. Use the saved session token to check if it is still valid

The lack of proper session expiration may improve the likely success of certain attacks. Incorrect token invalidation could allow an attacker to use the browser's history to access a Directus instance session previously accessed by the victim.

How to fix Insufficient Session Expiration?

Upgrade directus to version 10.11.0 or higher.

>=10.10.0 <10.11.0