CVE-2023-27474
📋 TL;DR
Directus instances using allow-listed password reset URLs are vulnerable to HTML injection attacks via query parameters. Attackers can craft malicious reset URLs containing harmful code that gets emailed to users. This affects all Directus deployments with custom reset URLs configured.
💻 Affected Systems
- Directus
📦 What is this software?
Directus by Rangerstudio
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies, credentials, or performing actions on behalf of authenticated users.
Likely Case
Attackers send phishing emails with malicious reset links that execute JavaScript when clicked, potentially capturing user credentials or session data.
If Mitigated
With proper input validation and output encoding, the malicious code would be rendered harmless as plain text rather than executable HTML.
🎯 Exploit Status
Exploitation requires social engineering to get users to click malicious reset links, but the technical execution is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.23.0
Vendor Advisory: https://github.com/directus/directus/security/advisories/GHSA-4hmq-ggrm-qfc6
Restart Required: Yes
Instructions:
1. Backup your Directus instance. 2. Update Directus to version 9.23.0 or later using your package manager. 3. Restart the Directus service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable custom reset URL allow list
allRemove custom password reset URLs from the configured allow list
Edit Directus configuration to remove custom reset URLs from ALLOW_LIST_RESET_PASSWORD
🧯 If You Can't Patch
- Disable custom password reset URLs entirely and use default reset functionality
- Implement WAF rules to block suspicious query parameters in reset URLs
🔍 How to Verify
Check if Vulnerable:
Check if using Directus version <9.23.0 AND have custom reset URLs configured in ALLOW_LIST_RESET_PASSWORDCheck Version:
npm list directus (for npm installations) or check package.json versionVerify Fix Applied:
Confirm Directus version is 9.23.0 or higher and test reset functionality with query parameters📡 Detection & Monitoring
Log Indicators:
- Unusual password reset requests with query parameters
- Multiple reset attempts to same email with varying parameters
Network Indicators:
- HTTP requests to reset endpoints containing JavaScript or HTML in query parameters
SIEM Query:
source="directus" AND (url="*/auth/password/reset*" AND query_parameters="*<script>*")🔗 References
- https://github.com/directus/directus/issues/17119
- https://github.com/directus/directus/pull/17120
- https://github.com/directus/directus/security/advisories/GHSA-4hmq-ggrm-qfc6
- https://github.com/directus/directus/issues/17119
- https://github.com/directus/directus/pull/17120
- https://github.com/directus/directus/security/advisories/GHSA-4hmq-ggrm-qfc6
