CVE-2021-26595

Published: Feb 23, 2021Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

In Directus 8.x through 8.8.1, an attacker can learn sensitive information such as the version of the CMS, the PHP version used by the site, and the name of the DBMS, simply by view the result of the api-aa, called automatically upon a connection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

Affected (1)

Products: Rangerstudio: Directus

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Rangerstudio Directus	From 8.0.0 to 8.8.1

Related CWEs

Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

References (2)

https://github.com/sgranel/directusv8

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/sgranel/directusv8

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.