Directus vulnerable to HTML Injection
CVE-2024-54128

5.7MEDIUM

Key Information:

Vendor: Directus
Status: Directus
Vendor: CVE Published:; 5 December 2024

What is CVE-2024-54128?

Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection. This vulerability is fixed in 10.13.4 and 11.2.0.

Affected Version(s)

directus >= 10.10.0, < 10.13.4 < 10.10.0, 10.13.4

directus >= 11.0.0-rc.1, < 11.2.0 < 11.0.0-rc.1, 11.2.0

References

https://github.com/directus/directus/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 5, 2024
Vulnerability Reserved
Nov 29, 2024