CVE-2024-27295 – Directus MySQL accent insensitive email matching
https://notcve.org/view.php?id=CVE-2024-27295
Directus is a real-time API and App dashboard for managing SQL database content. The password reset mechanism of the Directus backend allows attackers to receive a password reset email of a victim user, specifically having it arrive at a similar email address as the victim with a one or more characters changed to use accents. This is due to the fact that by default MySQL/MariaDB are configured for accent-insensitive and case-insensitive comparisons. This vulnerability is fixed in version 10.8.3. • https://github.com/directus/directus/security/advisories/GHSA-qw9g-7549-7wg5 • CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVE-2023-28443 – directus vulnerable to Insertion of Sensitive Information into Log File
https://notcve.org/view.php?id=CVE-2023-28443
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3. • https://github.com/directus/directus/blob/7c479c5161639aac466c763b6b958a9524201d74/api/src/logger.ts#L13 https://github.com/directus/directus/commit/349536303983ccba68ecb3e4fb35315424011afc https://github.com/directus/directus/security/advisories/GHSA-8vg2-wf3q-mwv7 • CWE-284: Improper Access Control CWE-532: Insertion of Sensitive Information into Log File •
CVE-2023-27481 – Extract password hashes through export querying in directus
https://notcve.org/view.php?id=CVE-2023-27481
Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute forcing the export functionality combined with a `_starts_with` filter. This allows the user to enumerate the password hashes. Accounts cannot be taken over unless the hashes can be reversed which is unlikely with current hardware. This problem has been patched by preventing any hashed/concealed field to be filtered against with the `_starts_with` or other string operator in version 9.16.0. • https://github.com/directus/directus/pull/14829 https://github.com/directus/directus/pull/15010 https://github.com/directus/directus/security/advisories/GHSA-m5q3-8wgf-x8xf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-27474 – HTML Injection in Password Reset email to custom Reset URL in directus
https://notcve.org/view.php?id=CVE-2023-27474
Directus is a real-time API and App dashboard for managing SQL database content. Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. An attacker could exploit this to email users urls to the servers domain but which may contain malicious code. The problem has been resolved and released under version 9.23.0. People relying on a custom password reset URL should upgrade to 9.23.0 or later, or remove the custom reset url from the configured allow list. • https://github.com/directus/directus/issues/17119 https://github.com/directus/directus/pull/17120 https://github.com/directus/directus/security/advisories/GHSA-4hmq-ggrm-qfc6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-26492 – Directus vulnerable to Server-Side Request Forgery On File Import
https://notcve.org/view.php?id=CVE-2023-26492
Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0. • https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff https://github.com/directus/directus/releases/tag/v9.23.0 https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h • CWE-918: Server-Side Request Forgery (SSRF) •