GHSA-qf6h-p3mr-vmh5: Duplicate Advisory: Code injection in Directus

August 15, 2024 (updated March 22, 2025)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-9qrm-48qf-r2rw. This link is maintained to preserve external references.

Original Description

Directus v10.13.0 allows an authenticated external attacker to execute arbitrary JavaScript on the client. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with CVE-2024-6534, it could result in account takeover.

References

directus.io/
fluidattacks.com/advisories/bocelli
github.com/advisories/GHSA-qf6h-p3mr-vmh5
github.com/directus/directus
nvd.nist.gov/vuln/detail/CVE-2024-6533

Code Behaviors & Features

Detect and mitigate GHSA-qf6h-p3mr-vmh5 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →