Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cross-site Scripting in Directus
Vulnerability Description
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript (JS) can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag. This satisfies the regular content security policy header, which in turn allows the file to run any arbitrary JS. This issue was resolved in version 9.7.0. As a workaround, disable the live embed in the what-you-see-is-what-you-get by adding `{ "media_live_embeds": false }` to the _Options Overrides_ option of the Rich Text HTML interface.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
Directus 跨站脚本漏洞
Vulnerability Description
Directus是一个实时 Api 和应用程序仪表板。用于管理 Sql 数据库内容。 Directus 存在跨站脚本漏洞,该漏洞源于在9.7.0版本之前,可以通过在富文本html界面中插入一个iframe来执行未经授权的JavaScript(JS),该界面链接到一个文件上传的html文件,该文件在其脚本标记中加载另一个上传的JS文件。这满足了常规的内容安全策略头,从而允许文件运行任意JS。这个问题在9.7.0版中得到了解决。作为一种解决方法,在富文本HTML界面的_optionsoverrides选项中添
CVSS Information
N/A
Vulnerability Type
N/A