Vulnerability Details : CVE-2023-27474
Directus is a real-time API and App dashboard for managing SQL database content. Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. An attacker could exploit this to email users urls to the servers domain but which may contain malicious code. The problem has been resolved and released under version 9.23.0. People relying on a custom password reset URL should upgrade to 9.23.0 or later, or remove the custom reset url from the configured allow list. Users are advised to upgrade. Users unable to upgrade may disable the custom reset URL allow list as a workaround.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2023-27474
- cpe:2.3:a:rangerstudio:directus:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-27474
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 27 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-27474
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST | |
8.0
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N |
1.6
|
5.8
|
GitHub, Inc. |
CWE ids for CVE-2023-27474
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-27474
-
https://github.com/directus/directus/security/advisories/GHSA-4hmq-ggrm-qfc6
HTML Injection in Password Reset email to custom Reset URL · Advisory · directus/directus · GitHubIssue Tracking;Vendor Advisory
-
https://github.com/directus/directus/pull/17120
Fix url encoding query parameters and added tests by tofran · Pull Request #17120 · directus/directus · GitHubPatch
-
https://github.com/directus/directus/issues/17119
Password reset improperlly handles url-encoded query parameters in reset_url · Issue #17119 · directus/directus · GitHubIssue Tracking;Mailing List;Third Party Advisory
Jump to