CVE-2024-54128

Source
https://cve.org/CVERecord?id=CVE-2024-54128
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-54128.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-54128
Aliases
Published
2024-12-05T16:55:53.434Z
Modified
2026-04-10T05:18:28.545382Z
Severity
  • 5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Directus has an HTML Injection in Comment
Details

Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection. This vulerability is fixed in 10.13.4 and 11.2.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/54xxx/CVE-2024-54128.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-80"
    ]
}
References

Affected packages

Git / github.com/directus/directus

Affected ranges

Type
GIT
Repo
https://github.com/directus/directus
Events
Database specific
{
    "versions": [
        {
            "introduced": "10.10.0"
        },
        {
            "fixed": "10.13.4"
        }
    ]
}
Type
GIT
Repo
https://github.com/directus/directus
Events
Database specific
{
    "versions": [
        {
            "introduced": "11.0.0-rc.1"
        },
        {
            "fixed": "11.2.0"
        }
    ]
}

Affected versions

10.*
10.11.2
v10.*
v10.10.0
v10.10.1
v10.10.2
v10.10.3
v10.10.4
v10.10.5
v10.10.6
v10.10.7
v10.11.0
v10.11.1
v10.11.2
v10.12.1
v10.13.0
v10.13.1
v10.13.2
v10.13.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-54128.json"