HTML Injection in Password Reset email to custom Reset URL in directus
CVE-2023-27474
8HIGH
What is CVE-2023-27474?
An HTML injection vulnerability has been discovered in the Directus API management tool, allowing attackers to exploit an allow-listed reset URL. By manipulating query parameters in this URL, an attacker can craft malicious links disguised as legitimate URLs from the server's domain, potentially leading to malicious email communications with users. To safeguard against this vulnerability, users should upgrade to Directus version 9.23.0 or later, or alternatively, remove custom reset URLs from their allow list if they are unable to upgrade. Immediate action is recommended to enhance security and protect user data.
Affected Version(s)
directus < 9.23.0