cbcvebase.
CVE-2024-54128
published 2024-12-05

CVE-2024-54128: Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding…

PriorityP423medium4.6CVSS 3.1
AVNACLPRLUIRSUCLILAN
EPSS
0.34%
25.7th percentile
Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection. This vulerability is fixed in 10.13.4 and 11.2.0.

Affected

7 ranges
VendorProductVersion rangeFixed in
directusapp>= 11.0.0 < 13.3.113.3.1
directusdirectus
directusdirectus
directusdirectus>= 10.10.0 < 10.13.410.13.4
directusdirectus>= 11.0.0-rc.1 < 11.2.211.2.2
monospacedirectus>= 10.10.0 < 10.13.410.13.4
monospacedirectus>= 11.0.0 < 11.2.211.2.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.