directus@9.0.0-rc.3 vulnerabilities

Directus is a real-time API and App dashboard for managing SQL database content

  • latest version

    11.3.5

  • first published

    4 years ago

  • latest version published

    3 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the directus package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Authorization Bypass Through User-Controlled Key

    directus is a Directus is a real-time API and App dashboard for managing SQL database content.

    Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the PATCH /presets endpoint when the application only validates the user parameter in the POST /presets request but not in the PATCH request. An attacker can modify presets created by the same user to assign them to another user by sending a crafted PATCH request with the victim's user ID. This is only exploitable if the attacker has valid authentication credentials and can access the preset ID.

    How to fix Authorization Bypass Through User-Controlled Key?

    Upgrade directus to version 10.13.2 or higher.

    <10.13.2
    • M
    Authorization Bypass Through User-Controlled Key

    directus is a Directus is a real-time API and App dashboard for managing SQL database content.

    Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the POST /presets and PATCH requests. An authenticated attacker can modify presets created by the same user to assign them to another user by exploiting the lack of validation for the user parameter in the PATCH request.

    Note:

    When chained with CVE-2024-6533, it could result in account takeover.

    How to fix Authorization Bypass Through User-Controlled Key?

    There is no fixed version for directus.

    *
    • M
    Cross-site Scripting (XSS)

    directus is a Directus is a real-time API and App dashboard for managing SQL database content.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via an attacker-controlled parameter that is stored on the server and subsequently used unsanitized in a DOM element. An attacker can execute arbitrary JavaScript on the client by injecting malicious code into this parameter.

    Note:

    When chained with CVE-2024-6534, it could result in account takeover.

    How to fix Cross-site Scripting (XSS)?

    There is no fixed version for directus.

    *
    • L
    Server-Side Request Forgery (SSRF)

    directus is a Directus is a real-time API and App dashboard for managing SQL database content.

    Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) due to improper check when importing file from the URL and the result URL. An attacker can execute unauthorized requests to internal network resources by manipulating URL redirects during the file import operation.

    How to fix Server-Side Request Forgery (SSRF)?

    Upgrade directus to version 10.9.3 or higher.

    <10.9.3
    • H
    Resource Exhaustion

    directus is a Directus is a real-time API and App dashboard for managing SQL database content.

    Affected versions of this package are vulnerable to Resource Exhaustion through the /graphql endpoint. An attacker can cause the server to perform redundant computations and consume excessive resources.

    How to fix Resource Exhaustion?

    Upgrade directus to version 10.12.0 or higher.

    <10.12.0
    • H
    Improper Check for Unusual or Exceptional Conditions

    directus is a Directus is a real-time API and App dashboard for managing SQL database content.

    Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions through the random string generation utility. An attacker can disrupt the service by providing a non-numeric length value, which leads to a memory issue that prevents the generation of random strings, affecting session refresh capabilities.

    How to fix Improper Check for Unusual or Exceptional Conditions?

    Upgrade directus to version 10.11.2 or higher.

    <10.11.2
    • M
    Information Exposure

    directus is a Directus is a real-time API and App dashboard for managing SQL database content.

    Affected versions of this package are vulnerable to Information Exposure through the alias functionality. An attacker can access sensitive data by manipulating the API request parameters.

    Notes:

    This is only exploitable if the user has permissions to view any collection using redacted hashed fields.

    Steps to reproduce:

    1. Set up a simple role with read-access to users.

    2. Create a new user with the role from the previous step

    3. Assign a password to the user

    To confirm this vulnerability, visit /users/me. You should be presented with a redacted JSON-object. Next, visit /users/me?alias[hash]=password. This time, the returned JSON object will included the raw password hash instead of the redacted value.

    How to fix Information Exposure?

    Upgrade directus to version 10.11.0 or higher.

    <10.11.0
    • M
    URL Redirection to Untrusted Site ('Open Redirect')

    directus is a Directus is a real-time API and App dashboard for managing SQL database content.

    Affected versions of this package are vulnerable to URL Redirection to Untrusted Site ('Open Redirect') via the redirect parameter in the authentication API. An attacker can redirect users to an untrusted site after successful login, potentially leading to phishing attacks by presenting a malicious site that mimics an error message to deceive users into providing sensitive information.

    How to fix URL Redirection to Untrusted Site ('Open Redirect')?

    Upgrade directus to version 10.10.0 or higher.

    <10.10.0
    • L
    Information Exposure Through Sent Data

    directus is a Directus is a real-time API and App dashboard for managing SQL database content.

    Affected versions of this package are vulnerable to Information Exposure Through Sent Data via the process of reaching the /files page where a JWT is passed through a GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places such as web server logs and browser history. Attackers gaining access to these logs may hijack active user sessions, leading to unauthorized access to sensitive information or actions on behalf of the user.

    How to fix Information Exposure Through Sent Data?

    Upgrade directus to version 10.10.0 or higher.

    <10.10.0
    • M
    Always-Incorrect Control Flow Implementation

    directus is a Directus is a real-time API and App dashboard for managing SQL database content.

    Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to the password reset mechanism implementation combined with default database configurations in MySQL and MariaDB. This allows attackers in possession of a known good email address to redirect a password reset email intended for a victim by registering a similar email address with alternative characters that are considered equivalent to the same ones as characters in the stored email address, by the database engine. The API uses the supplied email address for sending the reset password mail instead of the email address from the database.

    How to fix Always-Incorrect Control Flow Implementation?

    Upgrade directus to version 10.8.3 or higher.

    <10.8.3
    • M
    Exposure of Sensitive Information Through Metadata

    directus is a Directus is a real-time API and App dashboard for managing SQL database content.

    Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Metadata in the form of the version number, which is included in compiled JS bundles that are accessible without authentication.

    How to fix Exposure of Sensitive Information Through Metadata?

    Upgrade directus to version 10.8.3 or higher.

    <10.8.3
    • M
    Information Exposure

    directus is a Directus is a real-time API and App dashboard for managing SQL database content.

    Affected versions of this package are vulnerable to Information Exposure when users with read access to the password field in directus_users can extract the argon2 password hashes by brute-forcing the export functionality combined with a _starts_with filter. This allows the user to enumerate the password hashes.

    How to fix Information Exposure?

    Upgrade directus to version 9.16.0 or higher.

    <9.16.0
    • H
    Cross-site Scripting (XSS)

    directus is a Directus is a real-time API and App dashboard for managing SQL database content.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) by allowing attackers to email users URLs to the servers domain but which may contain malicious code.

    How to fix Cross-site Scripting (XSS)?

    Upgrade directus to version 9.23.1 or higher.

    <9.23.1
    • M
    Server-Side Request Forgery

    directus is a Directus is a real-time API and App dashboard for managing SQL database content.

    Affected versions of this package are vulnerable to Server-Side Request Forgery when importing a file from a remote web server (POST to /files/import). This is a bypass of CVE-2022-23080.

    How to fix Server-Side Request Forgery?

    Upgrade directus to version 9.23.1 or higher.

    <9.23.1
    • M
    Access Restriction Bypass

    directus is a Directus is a real-time API and App dashboard for managing SQL database content.

    Affected versions of this package are vulnerable to Access Restriction Bypass by having an authorized user update the filename_disk value to a folder and accessing that file through the /assets endpoint.

    How to fix Access Restriction Bypass?

    Upgrade directus to version 9.15.0 or higher.

    <9.15.0
    • M
    Server-side Request Forgery (SSRF)

    directus is a Directus is a real-time API and App dashboard for managing SQL database content.

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) by exposing port information to low-privileged users via the media upload functionality.

    How to fix Server-side Request Forgery (SSRF)?

    Upgrade directus to version 9.7.0 or higher.

    >=9.0.0-beta.2 <9.7.0
    • H
    Insecure Defaults

    directus is a Directus is a real-time API and App dashboard for managing SQL database content.

    Affected versions of this package are vulnerable to Insecure Defaults via the default value for the CORS_ENABLED and CORS_ORIGIN configuration, which was set to be very permissive.

    How to fix Insecure Defaults?

    Upgrade directus to version 9.7.0 or higher.

    <9.7.0
    • M
    Cross-site Scripting (XSS)

    directus is a Directus is a real-time API and App dashboard for managing SQL database content.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) by inserting an iframe into the rich text HTML interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag.

    How to fix Cross-site Scripting (XSS)?

    Upgrade directus to version 9.7.0 or higher.

    <9.7.0
    • M
    Cross-site Scripting (XSS)

    directus is a Directus is a real-time API and App dashboard for managing SQL database content.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via unrestricted file upload of HTML files, of which content isn't escaped, in the media upload feature. This HTML file can be set as an avatar, and when another user opens it the payload is executed.

    How to fix Cross-site Scripting (XSS)?

    Upgrade directus to version 9.4.2 or higher.

    >=9.0.0-alpha.5 <9.4.2
    • M
    Cross-site Scripting (XSS)

    directus is a Directus is a real-time API and App dashboard for managing SQL database content.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via an SVG file upload in the media upload functionality. An attacker can include javascript code inside the image which will be executed in the victim’s browser when they open the image URL.

    How to fix Cross-site Scripting (XSS)?

    Upgrade directus to version 9.4.2 or higher.

    >=9.0.0-alpha.5 <9.4.2