Lucene search

GoogleOSV:GHSA-4HMQ-GGRM-QFC6

HistoryMar 07, 2023 - 8:35 p.m.

directus vulnerable to HTML Injection in Password Reset email to custom Reset URL

2023-03-0720:35:54

Google

osv.dev

directus

html injection

password reset

custom url

vulnerability

query parameters

version 9.23.0

upgrade

allow list

software

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS

0.001

Percentile

29.7%

JSON

Impact

Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL.

Patches

The problem has been resolved and released under version 9.23.0. People relying on a custom password reset URL should upgrade to 9.23.0 or later, or remove the custom reset url from the configured allow list.

Workarounds

Disable the custom reset URL allow list.

References

github.com/directus/directus

github.com/directus/directus/issues/17119

github.com/directus/directus/pull/17120

github.com/directus/directus/security/advisories/GHSA-4hmq-ggrm-qfc6

nvd.nist.gov/vuln/detail/CVE-2023-27474

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS

0.001

Percentile

29.7%

JSON

Related for OSV:GHSA-4HMQ-GGRM-QFC6