Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Directus has a Path Traversal and Broken Access Control in File Management API
Vulnerability Description
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by to obscure the tampering. This vulnerability is fixed in 11.17.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
Vulnerability Type
访问控制不恰当
Vulnerability Title
Directus 安全漏洞
Vulnerability Description
Directus是Directus开源的一个实时 Api 和应用程序仪表板。用于管理 Sql 数据库内容。 Directus 11.17.0之前版本存在安全漏洞,该漏洞源于PATCH /files/{id}端点接受用户控制的filename_disk参数,可能导致攻击者覆盖其他用户文件内容。
CVSS Information
N/A
Vulnerability Type
N/A