HTML Injection in Password Reset email to custom Reset URL in directus
CVE-2023-27474

8HIGH

Key Information:

Vendor

Directus

Status
Directus
Vendor
CVE Published:
6 March 2023

What is CVE-2023-27474?

An HTML injection vulnerability has been discovered in the Directus API management tool, allowing attackers to exploit an allow-listed reset URL. By manipulating query parameters in this URL, an attacker can craft malicious links disguised as legitimate URLs from the server's domain, potentially leading to malicious email communications with users. To safeguard against this vulnerability, users should upgrade to Directus version 9.23.0 or later, or alternatively, remove custom reset URLs from their allow list if they are unable to upgrade. Immediate action is recommended to enhance security and protect user data.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

directus < 9.23.0

References

https://github.com/directus/directus/security/advisories/...
x_refsource_CONFIRM
https://github.com/directus/directus/issues/17119
x_refsource_MISC
https://github.com/directus/directus/pull/17120
x_refsource_MISC

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.