Опубликовано: 15 авг. 2024
Источник: github
Github: Прошло ревью
CVSS4: 6.9
CVSS3: 4.1
Описание
Duplicate Advisory: Code injection in Directus
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-9qrm-48qf-r2rw. This link is maintained to preserve external references.
Original Description
Directus v10.13.0 allows an authenticated external attacker to execute arbitrary JavaScript on the client. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with CVE-2024-6534, it could result in account takeover.
Пакеты
Наименование
directus
npm
Затронутые версииВерсия исправления
<= 10.13.0
Отсутствует
6.9 Medium
CVSS4
4.1 Medium
CVSS3
Дефекты
CWE-79
6.9 Medium
CVSS4
4.1 Medium
CVSS3
Дефекты
CWE-79