CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38503 – Directus has Incorrect Permission Checking for GraphQL Subscriptions
https://notcve.org/view.php?id=CVE-2023-38503
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters (i.e. `user_created IS $CURRENT_USER`) are not properly checked when using GraphQL subscription resulting in unauthorized users getting event on their subscription which they should not be receiving according to the permissions. This can be any collection but out-of-the box the `directus_users` collection is configured with such a permissions filter allowing you to get updates for other users when changes happen. Version 10.5.0 contains a patch. • https://github.com/directus/directus/pull/19155 https://github.com/directus/directus/security/advisories/GHSA-gggm-66rh-pp98 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-19850
https://notcve.org/view.php?id=CVE-2020-19850
An issue found in Directus API v.2.2.0 allows a remote attacker to cause a denial of service via a great amount of HTTP requests. • https://github.com/directus/api/issues/982 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-28443 – directus vulnerable to Insertion of Sensitive Information into Log File
https://notcve.org/view.php?id=CVE-2023-28443
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3. • https://github.com/directus/directus/blob/7c479c5161639aac466c763b6b958a9524201d74/api/src/logger.ts#L13 https://github.com/directus/directus/commit/349536303983ccba68ecb3e4fb35315424011afc https://github.com/directus/directus/security/advisories/GHSA-8vg2-wf3q-mwv7 • CWE-284: Improper Access Control CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-27481 – Extract password hashes through export querying in directus
https://notcve.org/view.php?id=CVE-2023-27481
Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute forcing the export functionality combined with a `_starts_with` filter. This allows the user to enumerate the password hashes. Accounts cannot be taken over unless the hashes can be reversed which is unlikely with current hardware. This problem has been patched by preventing any hashed/concealed field to be filtered against with the `_starts_with` or other string operator in version 9.16.0. • https://github.com/directus/directus/pull/14829 https://github.com/directus/directus/pull/15010 https://github.com/directus/directus/security/advisories/GHSA-m5q3-8wgf-x8xf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-27474 – HTML Injection in Password Reset email to custom Reset URL in directus
https://notcve.org/view.php?id=CVE-2023-27474
Directus is a real-time API and App dashboard for managing SQL database content. Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. An attacker could exploit this to email users urls to the servers domain but which may contain malicious code. The problem has been resolved and released under version 9.23.0. People relying on a custom password reset URL should upgrade to 9.23.0 or later, or remove the custom reset url from the configured allow list. • https://github.com/directus/directus/issues/17119 https://github.com/directus/directus/pull/17120 https://github.com/directus/directus/security/advisories/GHSA-4hmq-ggrm-qfc6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •