Описание
Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (****), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. Version 11.13.0 fixes the issue.
Уязвимые конфигурации
Конфигурация 1Версия до 11.13.0 (исключая)
cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*
EPSS
Процентиль: 10%
0.00034
Низкий
6.5 Medium
CVSS3
Дефекты
CWE-201
Связанные уязвимости
CVSS3: 6.5
github
3 месяца назад
Directus's conceal fields are searchable if read permissions enabled
EPSS
Процентиль: 10%
0.00034
Низкий
6.5 Medium
CVSS3
Дефекты
CWE-201