Directus App vulnerabilities

CVE-2025-24353 [MEDIUM] CWE-269 Directus allows privilege escalation using Share feature Directus allows privilege escalation using Share feature ### Summary When sharing an item, user can specify an arbitrary role. It allows user to use a higher-privileged role to see fields that otherwise the user should not be able to see. ### Details Specifying `role` on share should be available only for admins. The current flow has a security flaw. Each other role should allow to share only in the conte

CVE-2024-54128 [MEDIUM] CWE-80 Directus has an HTML Injection in Comment Directus has an HTML Injection in Comment ### Summary The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection. ### Details The Comment feature implements a character filter on the client-side, this can be bypassed by directly sending a requ