Monospace Directus vulnerabilities

CVE-2023-27481 [MEDIUM] CWE-200 CVE-2023-27481: Directus is a real-time API and App dashboard for managing SQL database content. In versions prior t Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute forcing the export functionality combined with a `_starts_with` filter. This allows the user to enumerate the password hashes.

CVE-2023-26492 [HIGH] CWE-918 CVE-2023-26492: Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnera Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perfor

CVE-2022-26969 [CRITICAL] CWE-942 CVE-2022-26969: In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.

CVE-2022-36031 [MEDIUM] CWE-755 CVE-2022-36031: Directus is a free and open-source data platform for headless content management. The Directus proce Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the `filename_disk` value to a folder and accessing that file through the `/assets` endpoint. This vulnerability has been patched and release v9.15.0 contains the fix. Users are advised to upgrade.