CVE-2024-54128 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Directus

CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)3 documents3 sources

Severity

4.6MEDIUMNVD

EPSS

0.2%

top 54.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Monospace Directus Directus APP Directus

Timeline

PublishedDec 5

Description

Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection. This vulerability is fixed in 10.13.4 and 11.2.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 2.1 | Impact: 2.5

Affected Packages4 packages

▶npmdirectus/app11.0.0 — 13.3.1

▶npmdirectus/directus10.10.0 — 10.13.4+1

▶NVDmonospace/directus10.10.0 — 10.13.4+1

▶CVEListV5directus/directus>= 10.10.0, < 10.13.4, >= 11.0.0-rc.1, < 11.2.0+1

🔴Vulnerability Details

OSV

Directus has an HTML Injection in Comment↗2024-12-05

▶

GHSA

Directus has an HTML Injection in Comment↗2024-12-05

▶