A timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration.
This advisory duplicates another.
An open redirect vulnerability exists in the Directus SAML authentication callback endpoint. The RelayState parameter is used in redirects without proper validation against an allowlist of permitted domains.
A vulnerability allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (****), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data.
An observable difference in error messaging was found in the Directus REST API. The /items/{collection} API returns different error messages for these two cases: A user tries to access an existing collection which they are not authorized to access. A user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections.
A vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won't show up in the Directus UI.
Access token from query string is not redacted and is potentially exposed in system logs which may be persisted.
Since the user status is not checked when verifying a session token a suspended user can use the token generated in session auth mode to access the API despite their status.
If there are two overlapping policies for the update action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is allowed to update the superset of fields allowed by any of the policies. E.g. have one policy allowing update access to field_a if the id == 1 and one policy allowing update access to field_b if the id == …
When setting WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges.
If you're relying on blocking access to localhost using the default 0.0.0.0 filter this can be bypassed using other registered loopback devices (like 127.0.0.2 - 127.127.127.127)
Unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. For example: Project is configured with OpenID or OAuth2 Project is configured with cache enabled User tries to login via SSO link, but without redirect query string After successful login, credentials are cached If an unauthenticated user tries to login via SSO link, it will return the …
There was already a reported SSRF vulnerability via file import. https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security measure and execute a SSRF using redirects. Directus allows redirects when importing file from the URL and does not check the result URL. Thus, it is possible to execute a request to …