Monospace Security Vulnerabilities (CVEs)

This timing-based user enumeration vulnerability in Directus allows attackers to determine whether specific usernames/emails exist in the system by me...

An open redirect vulnerability in Directus SAML authentication allows attackers to redirect users to malicious external websites after authentication....

A stored cross-site scripting (XSS) vulnerability in Directus allows authenticated users with file upload and edit permissions to inject malicious Jav...

This vulnerability in Directus allows authenticated users with read permissions to detect matches in concealed/sensitive fields through search functio...

This CVE describes an information disclosure vulnerability in Directus where unauthorized users can determine whether specific database collections ex...

A permission inheritance vulnerability in Directus allows stale field-level permissions to persist after field deletion. When a deleted field's name i...

This vulnerability in Directus logs sensitive authentication tokens when using WebHook triggers in Flows, exposing access and refresh tokens in system...

Directus versions 9.12.0 through 11.8.0 have an authentication bypass vulnerability in manual trigger Flows. Attackers can execute Flows without prope...

This vulnerability in Directus allows authenticated users to enumerate database field contents they shouldn't have permission to view. By exploiting t...

This vulnerability in Directus exposes sensitive data including environmental variables, API keys, and user information when a Flow with a Webhook tri...

This vulnerability in Directus's S3 storage driver allows attackers to cause denial of service for all assets by sending multiple malformed transforma...

This vulnerability in Directus allows users with overlapping update permissions to modify fields they shouldn't have access to. When multiple policies...

This vulnerability in Directus allows users with typical permissions to specify arbitrary roles when sharing items, potentially granting access to fie...

This vulnerability in Directus allows unauthenticated users to perform any CRUD operations or subscribe to data changes with full admin privileges whe...

CVE-2024-54128 is an HTML injection vulnerability in Directus's comment feature due to client-side filtering that can be bypassed. This allows attacke...

Directus systems with LOG_STYLE set to 'raw' expose access tokens in query strings within system logs. Attackers with log access can steal these token...

This vulnerability in Directus allows attackers to bypass localhost access restrictions by using alternative loopback IP addresses like 127.0.0.2 inst...

CVE-2024-6533 is a stored cross-site scripting (XSS) vulnerability in Directus v10.13.0 that allows authenticated attackers to inject malicious JavaSc...

This vulnerability in Directus allows broken access control when using _in or _nin operators with empty arrays. Attackers can bypass intended permissi...

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Directus that allows attackers to bypass DNS resolution protections via HTTP ...

This vulnerability in Directus allows users with permission to view collections containing redacted hashed fields to bypass redaction and access the p...

This vulnerability in Directus allows attackers to hijack password reset emails by using email addresses with accented characters that MySQL/MariaDB t...