{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-30352", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-03-21T14:12:06.270Z", "datePublished": "2025-03-26T17:18:39.567Z", "dateUpdated": "2025-03-27T15:15:07.652Z"}, "containers": {"cna": {"title": "Directus `search` query parameter allows enumeration of non permitted fields", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/directus/directus/security/advisories/GHSA-7wq3-jr35-275c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/directus/directus/security/advisories/GHSA-7wq3-jr35-275c"}, {"name": "https://github.com/directus/directus/commit/ac5a9964d9926f20dc063a74cb417dc7bbad676d", "tags": ["x_refsource_MISC"], "url": "https://github.com/directus/directus/commit/ac5a9964d9926f20dc063a74cb417dc7bbad676d"}], "affected": [{"vendor": "directus", "product": "directus", "versions": [{"version": ">= 9.0.0-alpha.4, < 11.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-26T17:18:39.567Z"}, "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the `search` query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the enumeration of unknown field contents. The searchable columns (numbers & strings) are not checked against permissions when injecting the `where` clauses for applying the search query. This leads to the possibility of enumerating those un-permitted fields. Version 11.5.0 fixes the issue."}], "source": {"advisory": "GHSA-7wq3-jr35-275c", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/directus/directus/security/advisories/GHSA-7wq3-jr35-275c", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-27T15:14:43.647720Z", "id": "CVE-2025-30352", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-27T15:15:07.652Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-30352", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-27T15:14:43.647720Z"}}}], "references": [{"url": "https://github.com/directus/directus/security/advisories/GHSA-7wq3-jr35-275c", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-27T15:15:00.582Z"}}], "cna": {"title": "Directus `search` query parameter allows enumeration of non permitted fields", "source": {"advisory": "GHSA-7wq3-jr35-275c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "directus", "product": "directus", "versions": [{"status": "affected", "version": ">= 9.0.0-alpha.4, < 11.5.0"}]}], "references": [{"url": "https://github.com/directus/directus/security/advisories/GHSA-7wq3-jr35-275c", "name": "https://github.com/directus/directus/security/advisories/GHSA-7wq3-jr35-275c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/directus/directus/commit/ac5a9964d9926f20dc063a74cb417dc7bbad676d", "name": "https://github.com/directus/directus/commit/ac5a9964d9926f20dc063a74cb417dc7bbad676d", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the `search` query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the enumeration of unknown field contents. The searchable columns (numbers & strings) are not checked against permissions when injecting the `where` clauses for applying the search query. This leads to the possibility of enumerating those un-permitted fields. Version 11.5.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-26T17:18:39.567Z"}}}, "cveMetadata": {"cveId": "CVE-2025-30352", "state": "PUBLISHED", "dateUpdated": "2025-03-27T15:15:07.652Z", "dateReserved": "2025-03-21T14:12:06.270Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-03-26T17:18:39.567Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "A325DF47-2060-4AB3-B23A-3E49FB326B99", "versionEndExcluding": "11.5.0", "versionStartIncluding": "9.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha10:*:*:*:node.js:*:*", "matchCriteriaId": "57E957B1-893E-433F-87F0-578F79A0588C", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha11:*:*:*:node.js:*:*", "matchCriteriaId": "DACEC925-A059-41FE-AC2B-801BFF3934CC", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha12:*:*:*:node.js:*:*", "matchCriteriaId": "406882F6-A01E-4648-A32A-1C8868BBF22C", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha13:*:*:*:node.js:*:*", "matchCriteriaId": "05490D09-A45C-407C-A8EE-832694AD7BC9", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha14:*:*:*:node.js:*:*", "matchCriteriaId": "DAAB7BAA-2678-40A6-A307-E770C7D1A39A", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha15:*:*:*:node.js:*:*", "matchCriteriaId": "C921077E-DF8F-4E5E-BE39-4F2514FF7965", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha16:*:*:*:node.js:*:*", "matchCriteriaId": "A2454930-529A-40BD-8C78-9E7B50814A8E", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha17:*:*:*:node.js:*:*", "matchCriteriaId": "1307B32A-12DC-43D7-9B92-AEB57E208FCC", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha18:*:*:*:node.js:*:*", "matchCriteriaId": "0FF46870-7A9F-485F-82C4-28605C271A63", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha19:*:*:*:node.js:*:*", "matchCriteriaId": "81809A12-1D08-425C-A158-3EC277760915", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha20:*:*:*:node.js:*:*", "matchCriteriaId": "A41BE61B-B73A-445D-9470-91F5C557FEDD", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha21:*:*:*:node.js:*:*", "matchCriteriaId": "3119C562-9579-469A-A15D-34BC83742F32", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha22:*:*:*:node.js:*:*", "matchCriteriaId": "FDABCC24-0BAD-4273-9462-A86068FC69C6", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha23:*:*:*:node.js:*:*", "matchCriteriaId": "02071B13-14CE-4F4A-BC7B-DDDAC9E55F8E", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha24:*:*:*:node.js:*:*", "matchCriteriaId": "44BFEE06-A74F-44C3-BBC1-828BFBB011BC", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha25:*:*:*:node.js:*:*", "matchCriteriaId": "38470832-C67F-4BC1-BC32-6CDD5803B665", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha26:*:*:*:node.js:*:*", "matchCriteriaId": "7FBC0113-A30A-44EF-915B-1F1223DC22E0", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha27:*:*:*:node.js:*:*", "matchCriteriaId": "2120E7BF-7560-4CDA-86EB-CC5B2A872F1A", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha31:*:*:*:node.js:*:*", "matchCriteriaId": "06864B05-6E46-4F15-B75B-3F5A4A86AF72", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha32:*:*:*:node.js:*:*", "matchCriteriaId": "A5EDDAA8-866A-428B-8071-6B4FE6DA146A", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha33:*:*:*:node.js:*:*", "matchCriteriaId": "65AD8FCD-9C99-4E73-86C6-6830757F00AF", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha34:*:*:*:node.js:*:*", "matchCriteriaId": "1F8FDF4D-D4D3-463C-AF01-3D92B1402DFB", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha35:*:*:*:node.js:*:*", "matchCriteriaId": "160C0A93-BD3F-403F-94FC-DFDAE5B45601", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha36:*:*:*:node.js:*:*", "matchCriteriaId": "38F094AA-8531-4BE7-96B3-14B1B7BCDAA7", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha37:*:*:*:node.js:*:*", "matchCriteriaId": "774E7656-2420-4145-B7D5-1DFE219D0C73", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha38:*:*:*:node.js:*:*", "matchCriteriaId": "B8B2437D-0280-4E6A-B297-46FD4BFD335C", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha39:*:*:*:node.js:*:*", "matchCriteriaId": "0736A783-87F2-4492-938C-342731B63D0F", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "971BC038-CF56-4E12-97C8-AC7F3C42F2FB", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha40:*:*:*:node.js:*:*", "matchCriteriaId": "C8E325A8-0FA5-47EE-B277-85667E10AC6D", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha41:*:*:*:node.js:*:*", "matchCriteriaId": "80245E5E-5BC9-48CB-B9F4-CDFEA644D344", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha42:*:*:*:node.js:*:*", "matchCriteriaId": "D9D1733E-0AB2-49D5-9861-CF90DEF7D4DC", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha5:*:*:*:node.js:*:*", "matchCriteriaId": "CE63E33F-F203-4C9F-87FE-7FDDA4AC1AA5", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha6:*:*:*:node.js:*:*", "matchCriteriaId": "4996A47D-58D2-45DB-AFB5-12878B302FA7", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha7:*:*:*:node.js:*:*", "matchCriteriaId": "0B677943-841D-4F89-BF8D-8BA6C34DF759", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha8:*:*:*:node.js:*:*", "matchCriteriaId": "3B53EAED-F218-45A4-9457-B9D4BBA2D508", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha9:*:*:*:node.js:*:*", "matchCriteriaId": "7506F506-3826-4DA1-8ABD-1E5C06F01F8B", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta0:*:*:*:node.js:*:*", "matchCriteriaId": "4D4F7DA2-0287-4CA0-B862-1AD63286BC22", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta1:*:*:*:node.js:*:*", "matchCriteriaId": "4FCB6396-1F7E-4F07-837B-C62F1394AD7C", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta10:*:*:*:node.js:*:*", "matchCriteriaId": "ECC79DA9-EEFA-466E-839A-CEDA2301CBBA", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta11:*:*:*:node.js:*:*", "matchCriteriaId": "CB7F184D-E022-4F6F-8E54-A16D3CC9C591", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta12:*:*:*:node.js:*:*", "matchCriteriaId": "B73F733C-2125-4C0E-B18A-D48AE2EF2C68", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta13:*:*:*:node.js:*:*", "matchCriteriaId": "FD44AB56-F4DA-48C3-8F5B-E44DD2DB13D5", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta14:*:*:*:node.js:*:*", "matchCriteriaId": "D96225EC-4251-4870-B030-4434C5BFCA75", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta2:*:*:*:node.js:*:*", "matchCriteriaId": "65918BFA-0DD1-4F1A-AB7E-FDFB7870C3D5", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta3:*:*:*:node.js:*:*", "matchCriteriaId": "E000D241-5083-4556-AFCB-06E5B8EC8492", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta4:*:*:*:node.js:*:*", "matchCriteriaId": "50530CFF-9DA9-424B-BFE9-1B11D13A03C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta5:*:*:*:node.js:*:*", "matchCriteriaId": "051BA743-AB9F-4A40-829B-5511222DB49A", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta7:*:*:*:node.js:*:*", "matchCriteriaId": "3ED84BB1-99C7-43CC-BF12-6678575128C9", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta8:*:*:*:node.js:*:*", "matchCriteriaId": "2D5A5B7D-C2C2-412E-A1FA-86B9C8E89301", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta9:*:*:*:node.js:*:*", "matchCriteriaId": "50AFC47C-4278-440F-9760-7916F41F5CBA", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc0:*:*:*:node.js:*:*", "matchCriteriaId": "79DF48A1-E6B7-4E79-BA98-BFC8D83988C9", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc1:*:*:*:node.js:*:*", "matchCriteriaId": "ADC6B9DE-1F0E-4B4B-83C9-A33D7D00BF60", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc10:*:*:*:node.js:*:*", "matchCriteriaId": "E587B50F-C95F-404A-949D-6AA505D97D4E", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc100:*:*:*:node.js:*:*", "matchCriteriaId": "F33CB7DE-A45C-4A4F-846E-5AA00915EAE3", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc101:*:*:*:node.js:*:*", "matchCriteriaId": "ABBAA85D-8820-42DF-A092-3455F42CC54B", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc11:*:*:*:node.js:*:*", "matchCriteriaId": "857ED8BB-9AB7-4EE5-B7E3-B0739ABAC320", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc12:*:*:*:node.js:*:*", "matchCriteriaId": "01020B23-511F-46AE-9377-DE98FF106955", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc13:*:*:*:node.js:*:*", "matchCriteriaId": "BC8375B9-EBFE-43B3-B622-094934D2A3DE", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc14:*:*:*:node.js:*:*", "matchCriteriaId": "0AE5CC78-5DD8-4EB0-93DC-A2259D1C233C", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc15:*:*:*:node.js:*:*", "matchCriteriaId": "2D6DEB65-65A3-42B3-AF4D-B5B0C2ECAFAB", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc17:*:*:*:node.js:*:*", "matchCriteriaId": "CB37DCD9-3174-4F38-A197-560461220A92", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc18:*:*:*:node.js:*:*", "matchCriteriaId": "90965BB7-2ADE-4CBB-84F9-F0769FD33E7C", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc19:*:*:*:node.js:*:*", "matchCriteriaId": "58F83ADF-13B6-4C16-A446-95FFA2DDFAB4", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc2:*:*:*:node.js:*:*", "matchCriteriaId": "018F0D61-1045-4668-97CB-1A6C78BF50DD", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc20:*:*:*:node.js:*:*", "matchCriteriaId": "4D3F4961-6960-4F76-8860-0D0A90FDEBC2", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc21:*:*:*:node.js:*:*", "matchCriteriaId": "D61539A8-E63D-40F9-A71C-BEA16E320E1F", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc22:*:*:*:node.js:*:*", "matchCriteriaId": "C0938C0A-902F-4111-B1A8-9E133C538B35", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc23:*:*:*:node.js:*:*", "matchCriteriaId": "F1E89060-50E6-4E9E-9B1E-7A99D583F9FE", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc24:*:*:*:node.js:*:*", "matchCriteriaId": "3F3BCC59-5FA3-44D7-95C6-53F87B95346F", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc25:*:*:*:node.js:*:*", "matchCriteriaId": "F76B2AD3-503A-492E-BD47-6C8EF4F03163", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc26:*:*:*:node.js:*:*", "matchCriteriaId": "845F2552-DA69-4C12-BA6E-74AFC85FF25E", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc27:*:*:*:node.js:*:*", "matchCriteriaId": "438648F2-5A4D-4BB6-B2E8-4FA14985E7D0", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc28:*:*:*:node.js:*:*", "matchCriteriaId": "8B3E718B-D593-4305-B96B-6EFB2B1013FC", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc29:*:*:*:node.js:*:*", "matchCriteriaId": "5A06E8BC-2666-44C9-9254-18C5D2EE30CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc3:*:*:*:node.js:*:*", "matchCriteriaId": "7219A713-5E0F-43DD-805B-D320BE36970F", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc30:*:*:*:node.js:*:*", "matchCriteriaId": "D3189111-179B-4461-A923-232B526DAA91", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc31:*:*:*:node.js:*:*", "matchCriteriaId": "A47BA605-78FC-41CD-8144-1E9925EB9FA1", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc32:*:*:*:node.js:*:*", "matchCriteriaId": "185165D0-1CBB-451F-B7B1-69F32C8890B4", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc33:*:*:*:node.js:*:*", "matchCriteriaId": "E5411DD0-02BF-4DEC-9F11-CBD64E5A5827", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc34:*:*:*:node.js:*:*", "matchCriteriaId": "E7918F2B-7C73-4B5D-9182-7CC90EE45609", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc35:*:*:*:node.js:*:*", "matchCriteriaId": "02AAD6F7-E04F-44DD-B9E9-ED2EAF877CB9", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc36:*:*:*:node.js:*:*", "matchCriteriaId": "6B388B8A-9D60-4367-8BBA-B902E68DB06C", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc37:*:*:*:node.js:*:*", "matchCriteriaId": "457FC628-B2A6-48FB-846E-37241C286C8E", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc38:*:*:*:node.js:*:*", "matchCriteriaId": "1AB9AE8A-5410-4F81-85F5-9634A5F09CA4", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc39:*:*:*:node.js:*:*", "matchCriteriaId": "E9D94B15-5E66-42F5-B977-5926AC78B3B9", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc4:*:*:*:node.js:*:*", "matchCriteriaId": "C9D896EA-2FC1-46D9-A359-1765911911E0", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc40:*:*:*:node.js:*:*", "matchCriteriaId": "47D34C99-94F0-4576-8323-829E9F947467", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc41:*:*:*:node.js:*:*", "matchCriteriaId": "18B25751-F979-46A2-80A3-306AD24DB6E5", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc42:*:*:*:node.js:*:*", "matchCriteriaId": "AD733506-5883-4659-AFDD-622BAAE6A268", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc43:*:*:*:node.js:*:*", "matchCriteriaId": "67763EB8-CA42-4329-BED4-A5918672708B", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc44:*:*:*:node.js:*:*", "matchCriteriaId": "B3C51051-FAC5-465F-94F7-1ACE4AEC3CE6", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc45:*:*:*:node.js:*:*", "matchCriteriaId": "45181B19-7268-4A1A-B171-97ADBEA20B59", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc46:*:*:*:node.js:*:*", "matchCriteriaId": "88D47305-5072-4558-BD08-7D9C1E8941EB", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc47:*:*:*:node.js:*:*", "matchCriteriaId": "CBA492F0-0D20-4014-AAAE-F869676B10AA", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc48:*:*:*:node.js:*:*", "matchCriteriaId": "D151C9A4-56A6-4DB0-AF16-0FC5F47B79A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc49:*:*:*:node.js:*:*", "matchCriteriaId": "8DF1C900-D3BC-48EB-AACA-D4CD9141DC83", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc5:*:*:*:node.js:*:*", "matchCriteriaId": "905C3CB9-386E-4069-8024-78F754D4D68E", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc50:*:*:*:node.js:*:*", "matchCriteriaId": "63006537-E1EE-45B9-9D2A-472B18C7AC61", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc51:*:*:*:node.js:*:*", "matchCriteriaId": "994ADB6B-05BB-45AC-AA8E-B5E7F563CD73", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc52:*:*:*:node.js:*:*", "matchCriteriaId": "E281F85A-075C-4C7D-8161-71988D913645", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc53:*:*:*:node.js:*:*", "matchCriteriaId": "AE9EB722-4D14-4195-931B-F43DCF02DD82", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc54:*:*:*:node.js:*:*", "matchCriteriaId": "2C107B59-6187-4751-A5D4-0E376BC8DD86", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc55:*:*:*:node.js:*:*", "matchCriteriaId": "68A5AC87-91F6-4AC6-B24A-FFEB1F5230F4", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc56:*:*:*:node.js:*:*", "matchCriteriaId": "94147F63-BFA8-4E7F-A123-CADC0860787B", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc57:*:*:*:node.js:*:*", "matchCriteriaId": "DDBC68C4-5989-4360-A271-99C453A5F89C", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc58:*:*:*:node.js:*:*", "matchCriteriaId": "C3527E35-25E2-4FC0-9F2C-1391A7970F2B", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc59:*:*:*:node.js:*:*", "matchCriteriaId": "BF6DC07D-A6C3-4E83-AA85-2D6681435000", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc6:*:*:*:node.js:*:*", "matchCriteriaId": "F3F09869-87E3-4800-A710-9C7941CDEFE4", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc60:*:*:*:node.js:*:*", "matchCriteriaId": "C5B82980-7A69-41BD-B81F-388230F1F4AA", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc61:*:*:*:node.js:*:*", "matchCriteriaId": "9B0105D6-6D65-4EA7-B578-D6FA47C0256F", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc62:*:*:*:node.js:*:*", "matchCriteriaId": "7C177176-589B-46FE-A7F9-52A252068700", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc63:*:*:*:node.js:*:*", "matchCriteriaId": "6C9A5054-D29D-40C5-B9FA-8C8987815BC1", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc64:*:*:*:node.js:*:*", "matchCriteriaId": "42EDA79D-0816-476C-B2B2-15E1D577B304", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc65:*:*:*:node.js:*:*", "matchCriteriaId": "A3C73CFD-7D69-4B52-BE88-92BE5E95948E", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc66:*:*:*:node.js:*:*", "matchCriteriaId": "B4789366-7B3A-4719-8633-7CD77231AD4D", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc67:*:*:*:node.js:*:*", "matchCriteriaId": "77ABA1B7-BEC0-4844-AC3D-C50A5F95A975", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc68:*:*:*:node.js:*:*", "matchCriteriaId": "C5B334CE-C90C-4C16-BC8A-31EB96E08424", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc69:*:*:*:node.js:*:*", "matchCriteriaId": "626AB55C-5EA2-4BF1-B71D-AA3C3F938079", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc7:*:*:*:node.js:*:*", "matchCriteriaId": "5D74C6A7-DAB2-4332-8812-5006AC7C5059", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc70:*:*:*:node.js:*:*", "matchCriteriaId": "F6936811-46AC-4FBF-BF9A-B79C26903F60", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc71:*:*:*:node.js:*:*", "matchCriteriaId": "BEB1D541-83EB-4696-BB4C-459D2868E3AA", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc72:*:*:*:node.js:*:*", "matchCriteriaId": "9B673CB8-3D2C-4B5F-8C74-B0CB6A4E4AE1", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc73:*:*:*:node.js:*:*", "matchCriteriaId": "30627639-77FB-4BD2-BAA6-B836D69C6CB5", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc74:*:*:*:node.js:*:*", "matchCriteriaId": "DC13B24F-0654-4EE9-9560-F9B1C84964BF", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc75:*:*:*:node.js:*:*", "matchCriteriaId": "45678A24-A6C5-4102-9556-C3C437E51034", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc76:*:*:*:node.js:*:*", "matchCriteriaId": "FDA41F0C-5EE0-4441-A332-FE8EE0BBD559", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc77:*:*:*:node.js:*:*", "matchCriteriaId": "54DBA109-30ED-469B-AC70-1F31EFFD895F", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc78:*:*:*:node.js:*:*", "matchCriteriaId": "B8A55B14-3AD3-407E-964E-C211D1C5F018", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc79:*:*:*:node.js:*:*", "matchCriteriaId": "FE0630B0-6279-424B-94F1-78589D369D5C", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc8:*:*:*:node.js:*:*", "matchCriteriaId": "4304B6AF-77C8-4897-B7AC-C7799F4B3D1E", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc80:*:*:*:node.js:*:*", "matchCriteriaId": "13DEE564-F460-4A9B-93B9-A0750B5A1095", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc81:*:*:*:node.js:*:*", "matchCriteriaId": "26F7F097-03E4-4967-A468-F228E16DE399", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc82:*:*:*:node.js:*:*", "matchCriteriaId": "A60A7249-DE56-4246-AB5B-8985E1A9D348", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc83:*:*:*:node.js:*:*", "matchCriteriaId": "B94C26B2-BB7C-4D1F-A3F1-FDB6D41820EC", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc84:*:*:*:node.js:*:*", "matchCriteriaId": "56E73854-4DA2-49A5-B294-9E6D220E27A2", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc85:*:*:*:node.js:*:*", "matchCriteriaId": "67C502CB-97AA-41BF-97FA-96ADB2E8085C", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc86:*:*:*:node.js:*:*", "matchCriteriaId": "A3183D41-C6BC-40CD-8664-A3E0B4F53B85", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc87:*:*:*:node.js:*:*", "matchCriteriaId": "E2C9DFE7-1FE6-4B16-860A-705E93A9CAA5", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc88:*:*:*:node.js:*:*", "matchCriteriaId": "4F5F54F5-2DAE-497E-9B6A-1CFCCD2DDA26", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc89:*:*:*:node.js:*:*", "matchCriteriaId": "D0E93F86-5540-4824-A633-1FB7554C7667", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc9:*:*:*:node.js:*:*", "matchCriteriaId": "3EAB3390-7226-48C1-9733-DF10F00ABF23", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc90:*:*:*:node.js:*:*", "matchCriteriaId": "8C54A473-18C8-4FD0-A72F-DFF16FA6C2C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc91:*:*:*:node.js:*:*", "matchCriteriaId": "481855FA-4917-477C-9048-91A2D5AB5C89", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc92:*:*:*:node.js:*:*", "matchCriteriaId": "4599AB33-9E40-4160-8E96-2B40BBC30FDB", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc93:*:*:*:node.js:*:*", "matchCriteriaId": "25F6546A-0910-4834-870A-F7E2F96FC63B", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc94:*:*:*:node.js:*:*", "matchCriteriaId": "FE9469F4-4344-4AA1-B94F-14380B8E47CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc95:*:*:*:node.js:*:*", "matchCriteriaId": "DF391F49-3CB0-4B24-B162-D63E029003B5", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc96:*:*:*:node.js:*:*", "matchCriteriaId": "9B8C3A2D-6485-4211-A4E1-C4AEFC96501B", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc97:*:*:*:node.js:*:*", "matchCriteriaId": "20FC540E-0C8E-4CEF-9A82-94637C1381EF", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc98:*:*:*:node.js:*:*", "matchCriteriaId": "3E00F86C-5BDD-43C4-BCE5-DAA151C2FF1E", "vulnerable": true}, {"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc99:*:*:*:node.js:*:*", "matchCriteriaId": "2EB1F36B-2212-4911-A417-1C4604793F8B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the `search` query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the enumeration of unknown field contents. The searchable columns (numbers & strings) are not checked against permissions when injecting the `where` clauses for applying the search query. This leads to the possibility of enumerating those un-permitted fields. Version 11.5.0 fixes the issue."}, {"lang": "es", "value": "Directus es una API en tiempo real y un panel de control para aplicaciones que gestiona el contenido de bases de datos SQL. A partir de la versi\u00f3n 9.0.0-alpha.4 y anteriores a la 11.5.0, el par\u00e1metro de consulta `search` permite a los usuarios con acceso a una colecci\u00f3n filtrar elementos seg\u00fan los campos que no tienen permiso para ver. Esto permite enumerar el contenido de campos desconocidos. Las columnas de b\u00fasqueda (n\u00fameros y cadenas) no se verifican con los permisos al inyectar las cl\u00e1usulas `where` para aplicar la consulta de b\u00fasqueda. Esto permite enumerar los campos no permitidos. La versi\u00f3n 11.5.0 soluciona este problema."}], "id": "CVE-2025-30352", "lastModified": "2025-08-26T01:41:50.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-03-26T18:15:27.080", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/directus/directus/commit/ac5a9964d9926f20dc063a74cb417dc7bbad676d"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://github.com/directus/directus/security/advisories/GHSA-7wq3-jr35-275c"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory"], "url": "https://github.com/directus/directus/security/advisories/GHSA-7wq3-jr35-275c"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "[email protected]", "type": "Primary"}]}

{}