@directus/api
Directus is a real-time API and App dashboard for managing SQL database content
Security Advisories for @directus/api in npm
Moderate
3 months ago
Directus Vulnerable to User Enumeration via Password Reset Timing Attack
npm
@directus/api, directus
Moderate
6 months ago
Directus Vulnerable to Information Leakage in Existing Collections
npm
@directus/api, directus
Moderate
6 months ago
Directus's conceal fields are searchable if read permissions enabled
npm
@directus/api, directus
Critical
8 months ago
Directus allows unauthenticated file upload and file modification due to lacking input sanitization
npm
@directus/api, directus
Potential
Moderate
10 months ago
Directus' insufficient permission checks can enable unauthenticated users to manually trigger Flows
npm
directus
Potential
Potential
Moderate
10 months ago
Directus tokens are not redacted in flow logs, exposing session credentials to all admin
npm
directus
Potential
Moderate
10 months ago
Directus is vulnerable to sensitive data exposure as user data is not being redacted when logged
npm
directus
Moderate
about 1 year ago
Directus inserts access token from query string into logs
npm
@directus/api
Potential
Potential
Moderate
about 1 year ago
Directus `search` query parameter allows enumeration of non permitted fields
npm
directus
Low
about 1 year ago
Suspended Directus user can continue to use session token to access API
npm
@directus/types, @directus/api, directus
Potential
Moderate
about 1 year ago
Directus's S3 assets become unavailable after a burst of HEAD requests
npm
directus, @directus/storage-driver-s3
Potential
Moderate
about 1 year ago
Directus's S3 assets become unavailable after a burst of malformed transformations
npm
directus, @directus/storage-driver-s3
Moderate
about 1 year ago
Directus allows updates to non-allowed fields due to overlapping policies
npm
@directus/api, directus
Potential
Low
over 1 year ago
Directus has a DOM-Based cross-site scripting (XSS) via layout_options
npm
directus
Potential
High
over 1 year ago
Directus allows unauthenticated access to WebSocket events and operations
npm
@directus/api, directus
Potential
Moderate
over 1 year ago
Directus vulnerable to SSRF Loopback IP filter bypass
npm
@directus/api, directus
High
over 1 year ago
Session is cached for OpenID and OAuth2 if `redirect` is not used
npm
@directus/api, directus
Potential
Potential
Potential
High
almost 2 years ago
Directus GraphQL Field Duplication Denial of Service (DoS)
npm
@directus/env
Potential
Potential
High
almost 2 years ago
Directus is soft-locked by providing a string value to random string util
npm
directus
Potential
Potential
Moderate
almost 2 years ago
Directus allows redacted data extraction on the API through "alias"
npm
directus
Potential
Moderate
about 2 years ago
URL Redirection to Untrusted Site in OAuth2/OpenID in directus
npm
directus
Potential
Potential
Potential
Potential
Potential
Potential
Potential
Moderate
about 3 years ago
directus vulnerable to Insertion of Sensitive Information into Log File
npm
directus
Potential
Moderate
about 3 years ago
Directus vulnerable to extraction of password hashes through export querying
npm
directus
Potential
High
about 3 years ago
directus vulnerable to HTML Injection in Password Reset email to custom Reset URL
npm
directus
Potential
Moderate
about 3 years ago
Directus vulnerable to Server-Side Request Forgery On File Import
npm
directus
Potential
Moderate
over 3 years ago
Directus vulnerable to unhandled exception on illegal filename_disk value
npm
directus
Potential
Potential
Potential
High
about 4 years ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in directus
npm
directus