directus directus vulnerabilities and exploits

(subscribe to this query)

In directus versions v9.0.0-beta.2 up to and including 9.6.0 are vulnerable to server-side request forgery (SSRF) in the media upload functionality which allows a low privileged user to perform internal network port scans.

Directus Directus Rangerstudio Directus Rangerstudio Directus 9.0.0

In Directus, versions 9.0.0-alpha.4 up to and including 9.4.1 allow unrestricted file upload of .html files in the media upload functionality, which leads to Cross-Site Scripting vulnerability. A low privileged attacker can upload a crafted HTML file as a profile avatar, and when...

Directus Directus Rangerstudio Directus Rangerstudio Directus 9.0.0

In Directus, versions 9.0.0-alpha.4 up to and including 9.4.1 are vulnerable to stored Cross-Site Scripting (XSS) vulnerability via SVG file upload in media upload functionality. A low privileged attacker can inject arbitrary javascript code which will be executed in a victim&rsq...

Directus Directus Rangerstudio Directus Rangerstudio Directus 9.0.0

Directus v10.13.0 allows an authenticated external malicious user to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH re...

Monospace Directus Directus Directus Monospace Directus 10.13.0

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters (i.e. `user_created IS $CURRENT_USER`) are not properly checked when using GraphQL subscription resulting in unauthorize...

Directus Directus Monospace Directus

Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS...

Directus Directus Monospace Directus

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.2...

Directus Directus Monospace Directus

Directus is a real-time API and App dashboard for managing SQL database content. Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. An attacker could exploit this to email users urls to t...

Directus Directus Rangerstudio Directus

Directus is a real-time API and App dashboard for managing SQL database content. In versions before 9.16.0 users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute forcing the export functionality combined with a `_starts_...

Directus Directus Monospace Directus

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript (JS) can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS fi...

Directus Directus Rangerstudio Directus

1 2 3 4 5 NEXT »

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook