CVE-2023-26492 – Directus vulnerable to Server-Side Request Forgery On File Import
https://notcve.org/view.php?id=CVE-2023-26492
Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0. • https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff https://github.com/directus/directus/releases/tag/v9.23.0 https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2022-26969
https://notcve.org/view.php?id=CVE-2022-26969
In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. En Directus anterior a 9.7.0, la configuración predeterminada de CORS_ORIGIN y CORS_ENABLED es verdadera. • https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md https://github.com/directus/directus/pull/12022 https://github.com/directus/directus/releases/tag/v9.7.0 https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822 •
CVE-2022-36031 – Unhandled exception on illegal filename_disk value
https://notcve.org/view.php?id=CVE-2022-36031
Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the `filename_disk` value to a folder and accessing that file through the `/assets` endpoint. This vulnerability has been patched and release v9.15.0 contains the fix. Users are advised to upgrade. Users unable to upgrade may prevent this problem by making sure no (untrusted) non-admin users have permissions to update the `filename_disk` field on `directus_files`. • https://github.com/directus/directus/security/advisories/GHSA-77qm-wvqq-fg79 • CWE-755: Improper Handling of Exceptional Conditions •
CVE-2022-24814 – Cross-site Scripting in Directus
https://notcve.org/view.php?id=CVE-2022-24814
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript (JS) can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag. This satisfies the regular content security policy header, which in turn allows the file to run any arbitrary JS. This issue was resolved in version 9.7.0. As a workaround, disable the live embed in the what-you-see-is-what-you-get by adding `{ "media_live_embeds": false }` to the _Options Overrides_ option of the Rich Text HTML interface. • https://github.com/directus/directus/pull/12020 https://github.com/directus/directus/releases/tag/v9.7.0 https://github.com/directus/directus/security/advisories/GHSA-xmjj-3c76-5w84 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •