11.3.5
4 years ago
3 days ago
Known vulnerabilities in the directus package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for freeVulnerability | Vulnerable Version |
---|---|
directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the How to fix Authorization Bypass Through User-Controlled Key? Upgrade | <10.13.2 |
directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the Note: When chained with CVE-2024-6533, it could result in account takeover. How to fix Authorization Bypass Through User-Controlled Key? There is no fixed version for | * |
directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via an attacker-controlled parameter that is stored on the server and subsequently used unsanitized in a DOM element. An attacker can execute arbitrary JavaScript on the client by injecting malicious code into this parameter. Note: When chained with CVE-2024-6534, it could result in account takeover. How to fix Cross-site Scripting (XSS)? There is no fixed version for | * |
directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) due to improper check when importing file from the URL and the result URL. An attacker can execute unauthorized requests to internal network resources by manipulating URL redirects during the file import operation. How to fix Server-Side Request Forgery (SSRF)? Upgrade | <10.9.3 |
directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Resource Exhaustion through the How to fix Resource Exhaustion? Upgrade | <10.12.0 |
directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions through the random string generation utility. An attacker can disrupt the service by providing a non-numeric length value, which leads to a memory issue that prevents the generation of random strings, affecting session refresh capabilities. How to fix Improper Check for Unusual or Exceptional Conditions? Upgrade | <10.11.2 |
directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Information Exposure through the Notes: This is only exploitable if the user has permissions to view any collection using redacted hashed fields. Steps to reproduce:
To confirm this vulnerability, visit How to fix Information Exposure? Upgrade | <10.11.0 |
directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to URL Redirection to Untrusted Site ('Open Redirect') via the How to fix URL Redirection to Untrusted Site ('Open Redirect')? Upgrade | <10.10.0 |
directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Information Exposure Through Sent Data via the process of reaching the How to fix Information Exposure Through Sent Data? Upgrade | <10.10.0 |
directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to the password reset mechanism implementation combined with default database configurations in MySQL and MariaDB. This allows attackers in possession of a known good email address to redirect a password reset email intended for a victim by registering a similar email address with alternative characters that are considered equivalent to the same ones as characters in the stored email address, by the database engine. The API uses the supplied email address for sending the reset password mail instead of the email address from the database. How to fix Always-Incorrect Control Flow Implementation? Upgrade | <10.8.3 |
directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Metadata in the form of the version number, which is included in compiled JS bundles that are accessible without authentication. How to fix Exposure of Sensitive Information Through Metadata? Upgrade | <10.8.3 |
directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Information Exposure when users with read access to the How to fix Information Exposure? Upgrade | <9.16.0 |
directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) by allowing attackers to email users URLs to the servers domain but which may contain malicious code. How to fix Cross-site Scripting (XSS)? Upgrade | <9.23.1 |
directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Server-Side Request Forgery when importing a file from a remote web server (POST to How to fix Server-Side Request Forgery? Upgrade | <9.23.1 |
directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Access Restriction Bypass by having an authorized user update the How to fix Access Restriction Bypass? Upgrade | <9.15.0 |
directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) by exposing port information to low-privileged users via the media upload functionality. How to fix Server-side Request Forgery (SSRF)? Upgrade | >=9.0.0-beta.2 <9.7.0 |
directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Insecure Defaults via the default value for the How to fix Insecure Defaults? Upgrade | <9.7.0 |
directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) by inserting an How to fix Cross-site Scripting (XSS)? Upgrade | <9.7.0 |
directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via unrestricted file upload of How to fix Cross-site Scripting (XSS)? Upgrade | >=9.0.0-alpha.5 <9.4.2 |
directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via an How to fix Cross-site Scripting (XSS)? Upgrade | >=9.0.0-alpha.5 <9.4.2 |