cbcvebase.
CVE-2024-39701
published 2024-07-08

CVE-2024-39701: Directus is a real-time API and App dashboard for managing SQL database content. Directus >=9.23.0, <=v10.5.3 improperly handles _in, _nin operators. It…

PriorityP346high7.7CVSS 3.1
AVNACLPRLUINSCCHINAN
EPSS
0.42%
33.9th percentile
Directus is a real-time API and App dashboard for managing SQL database content. Directus >=9.23.0, <=v10.5.3 improperly handles _in, _nin operators. It evaluates empty arrays as valid so expressions like {"role": {"_in": $CURRENT_USER.some_field}} would evaluate to true allowing the request to pass. This results in Broken Access Control because the rule fails to do what it was intended to do: Pass rule if **field** matches any of the **values**. This vulnerability is fixed in 10.6.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
directusdirectus
directusdirectus>= 9.23.0 < 10.6.010.6.0
monospacedirectus>= 9.23.0 < 10.6.010.6.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.