GHSA-qf6h-p3mr-vmh5

Suggest an improvement
Source
https://github.com/advisories/GHSA-qf6h-p3mr-vmh5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-qf6h-p3mr-vmh5/GHSA-qf6h-p3mr-vmh5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qf6h-p3mr-vmh5
Withdrawn
2025-03-22T00:35:38Z
Published
2024-08-15T03:30:28Z
Modified
2025-03-22T00:35:38Z
Severity
  • 4.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N CVSS Calculator
Summary
Duplicate Advisory: Code injection in Directus
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-9qrm-48qf-r2rw. This link is maintained to preserve external references.

Original Description

Directus v10.13.0 allows an authenticated external attacker to execute arbitrary JavaScript on the client. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with CVE-2024-6534, it could result in account takeover.

Database specific 
{
    "nvd_published_at": "2024-08-15T03:15:04Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-15T21:55:24Z"
}
References

Affected packages

npm / directus

Package

Name
directus
View open source insights on deps.dev
Purl
pkg:npm/directus

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
10.13.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-qf6h-p3mr-vmh5/GHSA-qf6h-p3mr-vmh5.json"