Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection. This vulerability is fixed in 10.13.4 and 11.2.0.
History

Fri, 06 Dec 2024 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 05 Dec 2024 19:00:00 +0000

Type Values Removed Values Added
Description Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection. Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection. This vulerability is fixed in 10.13.4 and 11.2.0.

Thu, 05 Dec 2024 17:15:00 +0000

Type Values Removed Values Added
Description Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection.
Title Directus has an HTML Injection in Comment
Weaknesses CWE-80
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-12-05T16:55:53.434Z

Updated: 2024-12-06T15:56:34.323Z

Reserved: 2024-11-29T18:02:16.753Z

Link: CVE-2024-54128

cve-icon Vulnrichment

Updated: 2024-12-06T15:56:23.406Z

cve-icon NVD

Status : Received

Published: 2024-12-05T17:15:15.130

Modified: 2024-12-05T19:15:08.857

Link: CVE-2024-54128

cve-icon Redhat

No data.