directus is using insecure defaults. The use of default CORS settings in the Record
function of env.ts
which are very permissive for uncontrolled environments allows an attacker to access unauthorized resources in the system.
developer.mozilla.org/en-US/docs/Web/HTTP/CORS
github.com/advisories/GHSA-g27j-74fp-xfpr
github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md
github.com/directus/directus/commit/826404bcbe769f9bcd526baec41e696237b78ebb
github.com/directus/directus/pull/12022
github.com/directus/directus/releases/tag/v9.7.0