Описание
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the directus_refresh_token is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3.
Ссылки
- Vendor Advisory
- Patch
- ExploitVendor Advisory
- Vendor Advisory
- Patch
- ExploitVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 9.23.3 (исключая)
cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*
EPSS
Процентиль: 14%
0.00047
Низкий
4.2 Medium
CVSS3
5.5 Medium
CVSS3
Дефекты
CWE-284
Связанные уязвимости
CVSS3: 4.2
github
почти 3 года назад
directus vulnerable to Insertion of Sensitive Information into Log File
EPSS
Процентиль: 14%
0.00047
Низкий
4.2 Medium
CVSS3
5.5 Medium
CVSS3
Дефекты
CWE-284