CVEs (5)
CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS |
|---|
Directus 7 API before 2.3.0 does not validate uploaded files. Regardless of the file extension or MIME type, there is a direct link to each uploaded file, accessible by unauthenticated users, as demonstrated by the EICAR...Show more |
1Rangerstudio 1Directus 7 Api Nov 21, 2024 Jul 19, 2019 N/A· v4 9.8 CRITICAL· v3 5.0 MEDIUM· v2 Directus 7 API before 2.2.2 has insufficient anti-automation, as demonstrated by lack of a CAPTCHA in core/Directus/Services/AuthService.php and endpoints/Auth.php. |
1Rangerstudio 1Directus 7 Api Nov 21, 2024 Jul 19, 2019 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 In Directus 7 API through 2.3.0, remote attackers can read image files via a direct request for a filename under the uploads/_/originals/ directory. This is related to a configuration option in which the file collection...Show more |
In Directus 7 API through 2.3.0, uploading of PHP files is blocked only when the Apache HTTP Server is used, leading to uploads/_/originals remote code execution with nginx. |
In Directus 7 API before 2.2.1, uploading of PHP files is not blocked, leading to uploads/_/originals remote code execution. |