CVE-2024-54128
MEDIUMDirectus 10.10.0-10.13.3 and 11.0.0-13.3.0 - HTML Injection via Comment Feature Client-Side Filter Bypass
Title source: llmDescription
Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection. This vulerability is fixed in 10.13.4 and 11.2.0.
References (1)
Core 1
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/directus/directus/security/advisories/GHSA-r6wx-627v-gh2f
Scores
CVSS v3
5.7
EPSS
0.0033
EPSS Percentile
24.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-80
Status
published
Products (3)
directus/app
11.0.0 - 13.3.1npm
monospace/directus
10.10.0 - 10.13.4
npm/directus
10.10.0 - 10.13.4npm
Published
Dec 05, 2024
Tracked Since
Feb 18, 2026