We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-54128

Directus has an HTML Injection in Comment



Description

Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection. This vulerability is fixed in 10.13.4 and 11.2.0.

Reserved 2024-11-29 | Published 2024-12-05 | Updated 2024-12-06 | Assigner GitHub_M


MEDIUM: 5.7CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Problem types

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Product status

>= 10.10.0, < 10.13.4
affected

>= 11.0.0-rc.1, < 11.2.0
affected

References

github.com/...rectus/security/advisories/GHSA-r6wx-627v-gh2f

cve.org (CVE-2024-54128)

nvd.nist.gov (CVE-2024-54128)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-54128

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.